feat: Add comprehensive product advisories for improved scanner functionality

- Introduced a blueprint for explainable quiet alerts, detailing phases for SBOM, VEX readiness, and attestations. - Developed a roadmap for deterministic diff-aware rescans, enhancing scanner speed and efficiency. - Implemented a hash-based SBOM layer cache to optimize container scans by reusing previous results. - Created a multi-runtime reachability corpus to validate function-level reachability across various programming languages. - Proposed a stable SBOM model using SPDX 3.0.1 for persistence and CycloneDX 1.6 for interchange. - Established a validation plan for quiet scans, focusing on provenance and CI integration. - Documented guidelines for the Findings Ledger module, outlining roles, execution rules, and testing protocols.
2025-11-17 00:09:26 +02:00
parent 08b27b8a26
commit 7b01c7d6ac
73 changed files with 3993 additions and 697 deletions
--- a/0
+++ b/0
--- a/0
+++ b/0
--- a/docs/advisory-ai/console.md
+++ b/docs/advisory-ai/console.md
@@ -49,6 +49,14 @@ This guide documents the forthcoming Advisory AI console experience so that cons
  ```
  The ribbon should hyperlink the `links.plan` and `links.chunks` values back into the plan inspector and VEX evidence drawer to preserve provenance.
 ### 2.3 SBOM / DSSE evidence hooks
 - Every response panel links to the sealed SBOM/VEX bundle emitted by Advisory AI. Until the live endpoints land, use the published fixtures:
  - VEX statement SSE stream: `docs/api/console/samples/vex-statement-sse.ndjson`
  - Guardrail banner projection: `docs/api/console/samples/advisory-ai-guardrail-banner.json`
  - Findings overview payload: `docs/api/console/samples/vuln-findings-sample.json`
 - When capturing screenshots, point the console to a dev workspace seeded with the above fixtures and record the build hash displayed in the footer to keep captures reproducible.
 - Store captures under `docs/assets/advisory-ai/console/` using the scheme `yyyyMMdd-HHmmss-<view>-<build>.png` (UTC clock) so regeneration is deterministic. Keep the original JSON alongside each screenshot by saving the response as `…-payload.json` in the same folder.
 ## 3. Accessibility & offline requirements
 - Console screens must pass WCAG 2.2 AA contrast and provide focus order that matches the keyboard shortcuts planned for Advisory AI (see `docs/advisory-ai/overview.md`).
 - All screenshots captured for this doc must come from sealed-mode bundles (no external fonts/CDNs). Store them under `docs/assets/advisory-ai/console/` with hashed filenames.
@@ -99,9 +107,10 @@ This guide documents the forthcoming Advisory AI console experience so that cons
 ## 5. Open items before publication
 - [ ] Replace placeholder API responses with captures from the first merged build of CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001.
- [ ] Capture at least two screenshots (list view + evidence drawer) once UI polish is complete.
+- [ ] Capture at least two screenshots (list view + evidence drawer) using the fixture-backed workspace; commit both `*-payload.json` and `*-screenshot.png` with deterministic filenames.
 - [ ] Verify copy-as-ticket instructions with Support to ensure the payload fields align with existing SOC runbooks.
 - [ ] Add latency tooltip + remote/local badge screenshots after Grafana wiring is stable.
 - [ ] Attach SBOM/VEX bundle example (sealed DSSE) to the doc and link it from Section 2.3 for auditors.
 > Tracking: DOCS-AIAI-31-004 (Docs Guild, Console Guild)
--- a/docs/implplan/SPRINT_0112_0001_0001_concelier_i.md
+++ b/docs/implplan/SPRINT_0112_0001_0001_concelier_i.md
@@ -0,0 +1,78 @@
 # Sprint 0112-0001-0001 · Concelier I — Canonical Evidence & Provenance (Rebaseline 2025-11-13)
 ## Topic & Scope
 - Deliver canonical advisory chunks with provenance anchors so Advisory AI consumes source-true data (no merge transforms) with deterministic ordering and cache keys.
 - Keep Concelier aligned with competitor schemas (GHSA GraphQL, Red Hat CVE API, Cisco PSIRT openVuln) while remaining offline-capable and attestation-ready.
 - Prepare mirror/offline provenance paths and transparency metadata so Attestor and Console surfaces can expose document-id + observation-path handles.
 - Working directory: `src/Concelier` (WebService + Core libraries).
 ### Canonical model commitments (unchanged)
 - `/advisories/{key}/chunks` render from the canonical `Advisory` aggregate (document id + latest observation set) only.
 - Each structured field cites both the Mongo `_id` of the backing observation and the JSON Pointer into that observation (`observationPath`).
 - Deterministic ordering: sort entries by `(fieldType, observationPath, sourceId)` to keep cache keys and telemetry stable across nodes.
 - Continue mapping competitor field names to keep migrations predictable.
 ## Dependencies & Concurrency
 - Link-Not-Merge schema review (`CONCELIER-LNM-21-*`, `CARTO-GRAPH-21-002`) scheduled 2025-11-14 gates Workstreams A and D.
 - Mirror staffing for MIRROR-CRT-56-001 (kickoff 2025-11-15) blocks Workstream B chain (AIRGAP-56/57/58).
 - Evidence Locker attestation contract alignment (with Excititor plan) needed for ATTEST-73 before Workstream C starts.
 - Authority scope smoke coverage (`CONCELIER-CORE-AOC-19-013` + `AUTH-SIG-26-001`) required before Workstream E closes.
 ## Documentation Prerequisites
 - docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md
 - docs/modules/platform/architecture-overview.md
 - docs/modules/concelier/architecture.md and related module dossier
 - docs/provenance/inline-dsse.md (for structured provenance schema)
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | CONCELIER-AIAI-31-002 | DOING | Await Link-Not-Merge sign-off; finish `ResolveAdvisoryAsync` + cache key update. | Concelier WebService Guild | Program.cs handler emits structured entries with `{chunkId,fingerprint,entries[],provenance.documentId,provenance.observationPath}`; deterministic ordering; Mongo2Go tests updated. |
 | 2 | CONCELIER-AIAI-31-003 | DONE (2025-11-12) | None | Concelier WebService Guild · Observability Guild | OTEL counters: `advisory_ai_chunk_requests_total`, `advisory_ai_chunk_cache_hits_total`, `advisory_ai_guardrail_blocks_total` tagged with tenant/result/cache. |
 | 3 | CONCELIER-AIRGAP-56-001 | TODO | Staff MIRROR-CRT-56-001; implement Offline Kit read path. | Concelier Core Guild | Mirror ingestion adapters persist `bundleId`, `merkleRoot`, append-only ledger comparisons. |
 | 4 | CONCELIER-AIRGAP-56-002 | TODO | Depends on 56-001 | Concelier Core Guild · AirGap Importer Guild | Store `{bundleId, merkleRoot, observationPath}` on observations/linksets for single-source provenance. |
 | 5 | CONCELIER-AIRGAP-57-001 | TODO | Depends on 56-001 | Concelier Core Guild · AirGap Policy Guild | Sealed-mode feature flag rejects non-mirror connectors with actionable diagnostics. |
 | 6 | CONCELIER-AIRGAP-57-002 | TODO | Depends on 56-002 | Concelier Core Guild · AirGap Time Guild | Compute `fetchedAt/publishedAt/clockSource` deltas and expose via observation APIs. |
 | 7 | CONCELIER-AIRGAP-58-001 | TODO | Depends on 57-002 | Concelier Core Guild · Evidence Locker Guild | Portable advisory evidence bundles include provenance notes and verifier instructions. |
 | 8 | CONCELIER-ATTEST-73-001 | TODO | Needs Workstream A output + attestation sequencing | Concelier Core Guild · Attestor Service Guild | Emit `{observationDigest, linksetDigest, documentId}` pairs for DSSE bundles. |
 | 9 | CONCELIER-ATTEST-73-002 | TODO | Depends on 73-001 | Concelier Core Guild | Transparency metadata exposes `bundleId`, Rekor refs, observation paths for external explorers. |
 | 10 | CONCELIER-CONSOLE-23-001 | TODO | Blocked by Link-Not-Merge schema | Concelier WebService Guild · BE-Base Platform Guild | `/console/advisories` groups linksets with severity/status chips and provenance `{documentId, observationPath}`. |
 | 11 | CONCELIER-CONSOLE-23-002 | TODO | Depends on 23-001 | Concelier WebService Guild | Deterministic dashboard deltas API returns new/modified/conflicting sets referencing linkset IDs and field paths. |
 | 12 | CONCELIER-CONSOLE-23-003 | TODO | Depends on Workstream A taxonomy | Concelier WebService Guild | Search fan-out helpers for CVE/GHSA/PURL with observation excerpts, provenance anchors, cache hints. |
 | 13 | CONCELIER-CORE-AOC-19-013 | TODO | Waits for structured endpoint readiness + AUTH-SIG-26-001 | Concelier Core Guild | Smoke/e2e suites enforce Authority tokens + tenant headers on ingest/read paths; provenance anchors round-trip. |
 ### Implementation checklist (applies to CONCELIER-AIAI-31-002)
 1. Add `ResolveAdvisoryAsync` helper with alias fallback + tenant guard.
 2. Update `AdvisoryChunkCacheKey` to include `AdvisoryFingerprint`.
 3. Rewrite `/advisories/{key}/chunks` handler to call the structured builder and emit provenance anchors.
 4. Refresh telemetry tests to assert `Response.Entries.Count`.
 5. Extend docs (`docs/provenance/inline-dsse.md` + Advisory AI API reference) with the structured schema mirroring GHSA / Cisco references.
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-12 | CONCELIER-AIAI-31-003 shipped OTEL counters for Advisory AI chunk traffic (cache hit ratios + guardrail blocks per tenant). | Concelier WebService Guild |
 | 2025-11-13 | Rebaseline: locked structured field scope to canonical model + provenance anchors aligned to competitor schemas. | Planning |
 | 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_112_concelier_i.md` to `SPRINT_0112_0001_0001_concelier_i.md`; no semantic changes. | Planning |
 ## Decisions & Risks
 - Link-Not-Merge schema slip past 2025-11-14 would stall Workstreams A and D; fallback adapter prep required.
 - Mirror staffing unresolved blocks AIRGAP-56/57/58 and Offline Kit parity; escalate at 2025-11-15 kickoff.
 - Evidence Locker contract delay would stall ATTEST-73, leaving Advisory AI without attested provenance.
 - Authority smoke coverage gap risks AOC guardrails regressing when structured endpoint ships; pairing with Authority guild planned once Workstream A PR is ready.
 - Status snapshot (as of 2025-11-13): A 🔶 DOING; B 🔴 BLOCKED; C 🔴 BLOCKED; D 🔶 WATCHING; E 🔶 WATCHING.
 ## Next Checkpoints
 - 2025-11-14: Link-Not-Merge schema review (CARTO-GRAPH-21-002) — gate for Workstreams A/D.
 - 2025-11-15: MIRROR-CRT-56-001 staffing kickoff; also Excititor/Evidence Locker sequencing for ATTEST-73.
 - 2025-11-16: Target actions — finish structured endpoint changes, draft Advisory AI structured schema appendix, prep `/console/advisories` API spec, clone Authority smoke suites once ready.
 - Standup prompts: (1) Did Link-Not-Merge review resolve blocking fields? (2) Who owns MIRROR-CRT-56-001 post-kickoff and staffing for AIRGAP follow-ons? (3) Did Evidence Locker accept attestation contract draft for ATTEST-73-001 start? (4) Are Authority/AOC smoke tests ready to clone once structured fields release, or is more scope needed from AUTH-SIG-26-001?
 ## Blockers & Dependencies (detailed)
 | Dependency | Impacted work | Owner(s) | Status |
 | --- | --- | --- | --- |
 | Link-Not-Merge schema (`CONCELIER-LNM-21-*`, `CARTO-GRAPH-21-002`) | Workstream A release, Workstream D APIs | Concelier Core · Cartographer Guild · Platform Events Guild | Review scheduled 2025-11-14; approval required before shipping structured fields/console APIs. |
 | MIRROR-CRT-56-001 staffing | Workstream B (AIRGAP-56/57/58) | Mirror Creator Guild · Exporter Guild · AirGap Time Guild | Owner not assigned (per Sprint 110); kickoff on 2025-11-15 must resolve. |
 | Evidence Locker attestation contract | Workstream C (ATTEST-73) | Evidence Locker Guild · Concelier Core | Needs alignment with Excititor attestation plan on 2025-11-15. |
 | Authority scope smoke coverage (`CONCELIER-CORE-AOC-19-013`) | Workstream E | Concelier Core · Authority Guild | Waiting on structured endpoint readiness + AUTH-SIG-26-001 validation. |
--- a/docs/implplan/SPRINT_0113_0001_0002_concelier_ii.md
+++ b/docs/implplan/SPRINT_0113_0001_0002_concelier_ii.md
@@ -0,0 +1,59 @@
 # Sprint 0113-0001-0002 · Concelier II — Ingestion & Evidence (Phase 110.B)
 ## Topic & Scope
 - Advance Link-Not-Merge ingestion so advisories stay append-only with provenance-first observations and linksets.
 - Enable graph overlays (Cartographer) with raw observations/linksets, change events, and batch evidence APIs—no merge-derived judgments.
 - Lay storage/event foundations (Mongo, object store, NATS/Redis) for scalable, tenant-scoped advisory data.
 - Working directory: `src/Concelier` (Core libraries, Storage.Mongo, WebService).
 ## Dependencies & Concurrency
 - Depends on Sprint 0112-0001-0001 (Concelier I) for canonical advisory outputs.
 - Link-Not-Merge schema chain (CONCELIER-LNM-21-001…005, 101…103, 201…203) must proceed in order; events and APIs depend on earlier ingestion plumbing.
 - Graph change events require Scheduler/Platform Events alignment; coordinate with Cartographer guilds to keep telemetry deterministic.
 ## Documentation Prerequisites
 - docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md
 - docs/modules/platform/architecture-overview.md
 - docs/modules/concelier/architecture.md (plus storage and ingestion notes)
 - Any Link-Not-Merge schema/ADR docs referenced by CONCELIER-LNM-21-***
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | CONCELIER-GRAPH-21-001 | BLOCKED (2025-10-27) | Waiting for Link-Not-Merge schema finalization | Concelier Core Guild · Cartographer Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Extend SBOM normalization so relationships/scopes are stored as raw observation metadata with provenance pointers for graph joins. |
 | 2 | CONCELIER-GRAPH-21-002 | BLOCKED (2025-10-27) | Depends on 21-001 | Concelier Core Guild · Scheduler Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Publish `sbom.observation.updated` events with tenant/context and advisory refs; facts only, no judgments. |
 | 3 | CONCELIER-GRAPH-24-101 | TODO | Depends on 21-002 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/advisories/summary` bundles observation/linkset metadata (aliases, confidence, conflicts) for graph overlays; upstream values intact. |
 | 4 | CONCELIER-GRAPH-28-102 | TODO | Depends on 24-101 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Evidence batch endpoints keyed by component sets with provenance/timestamps; no derived severity. |
 | 5 | CONCELIER-LNM-21-001 | TODO | Start of Link-Not-Merge chain | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Define immutable `advisory_observations` model (per-source fields, version ranges, severity text, provenance metadata, tenant guards). |
 | 6 | CONCELIER-LNM-21-002 | TODO | Depends on 21-001 | Concelier Core Guild · Data Science Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Correlation pipelines output linksets with confidence + conflict markers, avoiding value collapse. |
 | 7 | CONCELIER-LNM-21-003 | TODO | Depends on 21-002 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Record disagreements (severity, CVSS, references) as structured conflict entries. |
 | 8 | CONCELIER-LNM-21-004 | TODO | Depends on 21-003 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Remove legacy merge/dedup logic; add guardrails/tests to keep ingestion append-only; document linkset supersession. |
 | 9 | CONCELIER-LNM-21-005 | TODO | Depends on 21-004 | Concelier Core Guild · Platform Events Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit `advisory.linkset.updated` events with delta descriptions + observation ids (tenant + provenance only). |
 | 10 | CONCELIER-LNM-21-101 | TODO | Depends on 21-005 | Concelier Storage Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Provision Mongo collections (`advisory_observations`, `advisory_linksets`) with hashed shard keys, tenant indexes, TTL for ingest metadata. |
 | 11 | CONCELIER-LNM-21-102 | TODO | Depends on 21-101 | Concelier Storage Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Backfill legacy merged advisories; seed tombstones; provide rollback tooling for Offline Kit. |
 | 12 | CONCELIER-LNM-21-103 | TODO | Depends on 21-102 | Concelier Storage Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Move large raw payloads to object storage with deterministic pointers; update bootstrapper/offline seeds; preserve provenance metadata. |
 | 13 | CONCELIER-LNM-21-201 | TODO | Depends on 21-103 | Concelier WebService Guild · BE-Base Platform Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/advisories/observations` filters by alias/purl/source with strict tenant scopes; echoes upstream values + provenance fields only. |
 | 14 | CONCELIER-LNM-21-202 | TODO | Depends on 21-201 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/advisories/linksets`/`export`/`evidence` endpoints surface correlation + conflict payloads and `ERR_AGG_*` mapping; no synthesis/merge. |
 | 15 | CONCELIER-LNM-21-203 | TODO | Depends on 21-202 | Concelier WebService Guild · Platform Events Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Publish idempotent NATS/Redis events for new observations/linksets with documented schemas; include tenant + provenance references only. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md`. | Planning |
 | 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_113_concelier_ii.md` to `SPRINT_0113_0001_0002_concelier_ii.md`; no semantic changes. | Planning |
 ## Decisions & Risks
 - Link-Not-Merge schema sequence is critical path; delays keep ingestion and graph events blocked (see tasks 5–15).
 - Graph event pipeline depends on Scheduler/Platform Events alignment to avoid non-deterministic downstream joins.
 - Storage backfill (21-102) and object-store move (21-103) must preserve provenance metadata to avoid regression in Offline Kit and replay.
 ## Next Checkpoints
 - Next LNM schema review: align with CARTO-GRAPH/LNM owners (date TBD); unblock tasks 1–2 and 5–15.
 - Schedule event schema walkthrough with Platform Events/Scheduler guilds once 21-005 draft ready.
 ## Blockers & Dependencies (detailed)
 | Dependency | Impacted work | Owner(s) | Status |
 | --- | --- | --- | --- |
 | Link-Not-Merge schema finalization (CONCELIER-LNM-21-001+) | Tasks 1–15 | Concelier Core · Cartographer · Platform Events | Outstanding; blockers dated 2025-10-27 remain. |
 | Scheduler / Platform Events contract for `sbom.observation.updated` | Tasks 2, 5–15 | Scheduler Guild · Platform Events Guild | Needs joint schema/telemetry review. |
 | Object storage contract for raw payloads | Tasks 10–12 | Storage Guild · DevOps Guild | To be defined alongside 21-103. |
--- a/docs/implplan/SPRINT_0114_0001_0003_concelier_iii.md
+++ b/docs/implplan/SPRINT_0114_0001_0003_concelier_iii.md
@@ -0,0 +1,58 @@
 # Sprint 0114-0001-0003 · Concelier III — Ingestion & Evidence (Phase 110.B)
 ## Topic & Scope
 - Document and expose Link-Not-Merge ingestion surfaces (OpenAPI + SDK) with provenance, tenant scope, and AOC guarantees.
 - Establish observability, attestation, and incident-mode hooks that keep advisory evidence replayable without merge-era heuristics.
 - Align ingestion workers with orchestrator controls for deterministic scheduling, backfill, and ledger linkage.
 - Working directory: `src/Concelier` (Core libraries, Storage.Mongo, WebService).
 ## Dependencies & Concurrency
 - Depends on Sprint 0113-0001-0002 (Concelier II) Link-Not-Merge plumbing and graph/event groundwork.
 - Observability chain (OBS-51…55) builds sequentially; attestation work relies on evidence snapshot generation first.
 - Orchestrator integration tasks (ORCH-32…34) must coordinate with orchestrator worker SDK/controls; schedule alongside Policy Engine consumers.
 ## Documentation Prerequisites
 - docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md
 - docs/modules/platform/architecture-overview.md
 - docs/modules/concelier/architecture.md (ingestion, observability, orchestrator notes)
 - Current OpenAPI spec + SDK docs referenced by CONCELIER-OAS-61/62/63
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | CONCELIER-OAS-61-001 | TODO | Needs latest LNM schema from Sprint 0113 | Concelier Core Guild · API Contracts Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Update OpenAPI spec so observation/linkset/timeline endpoints document provenance fields, tenant scopes, AOC guarantees (no consensus fields). |
 | 2 | CONCELIER-OAS-61-002 | TODO | Depends on 61-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Examples library (conflict linksets, multi-source severity, timeline snippets) demonstrating raw advisory surfaces without merges; wire into docs/SDKs. |
 | 3 | CONCELIER-OAS-62-001 | TODO | Depends on 61-002 | Concelier Core Guild · SDK Generator Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | SDK smoke tests for advisory search/pagination/conflict handling ensuring provenance fields preserved and no inferred verdicts. |
 | 4 | CONCELIER-OAS-63-001 | TODO | Depends on 62-001 | Concelier Core Guild · API Governance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Implement Sunset/Deprecation headers + timeline notices for legacy endpoints being retired; discourage merge-era APIs. |
 | 5 | CONCELIER-OBS-51-001 | TODO | Start of OBS chain | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit ingestion latency, queue depth, and AOC violation metrics with burn-rate alerts to prove pipeline health. |
 | 6 | CONCELIER-OBS-52-001 | TODO | Depends on 51-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Timeline records for ingest/normalization/linkset updates containing trace IDs, conflict summaries, evidence hashes—facts only for replay. |
 | 7 | CONCELIER-OBS-53-001 | TODO | Depends on 52-001 | Concelier Core Guild · Evidence Locker Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Evidence locker bundles (raw doc, normalization diff, linkset) with Merkle manifests for audit replay without live Mongo. |
 | 8 | CONCELIER-OBS-54-001 | TODO | Depends on 53-001 | Concelier Core Guild · Provenance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Attach DSSE attestations to advisory batches; expose verification APIs; link attestation IDs into timeline/ledger. |
 | 9 | CONCELIER-OBS-55-001 | TODO | Depends on 54-001 | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Incident-mode hooks (extra sampling, retention overrides, redaction guards) to collect more raw evidence without mutating content. |
 | 10 | CONCELIER-ORCH-32-001 | TODO | Coordinate with orchestrator registry | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Register every advisory connector with orchestrator (metadata, auth scopes, rate policies) for transparent, reproducible scheduling. |
 | 11 | CONCELIER-ORCH-32-002 | TODO | Depends on 32-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Adopt orchestrator worker SDK in ingestion loops; emit heartbeats/progress/artifact hashes for deterministic replays. |
 | 12 | CONCELIER-ORCH-33-001 | TODO | Depends on 32-002 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Honor orchestrator pause/throttle/retry controls with structured errors and persisted checkpoints. |
 | 13 | CONCELIER-ORCH-34-001 | TODO | Depends on 33-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Execute orchestrator-driven backfills reusing artifact hashes/signatures, logging provenance, and pushing run metadata to ledger. |
 | 14 | CONCELIER-POLICY-20-001 | TODO | Needs Link-Not-Merge APIs from Sprint 0113 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Provide batch advisory lookup APIs for Policy Engine (purl/advisory filters, tenant scopes, explain metadata) so policy joins raw evidence without inferred outcomes. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md`. | Planning |
 | 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_114_concelier_iii.md` to `SPRINT_0114_0001_0003_concelier_iii.md`; no semantic changes. | Planning |
 ## Decisions & Risks
 - Link-Not-Merge and OpenAPI alignment must precede SDK/examples; otherwise downstream clients will drift from canonical facts.
 - Observability/attestation chain (OBS-51…55) risks audit gaps if sequencing slips; each step depends on previous artifacts.
 - Orchestrator control compliance is required to prevent evidence loss during throttles/pauses.
 ## Next Checkpoints
 - Schedule OpenAPI/SDK review once CONCELIER-OAS-61-001 draft ready (date TBD, gated on Sprint 0113 outputs).
 - Plan orchestrator contract review with Orchestrator guild before implementing ORCH-32-002.
 ## Blockers & Dependencies (detailed)
 | Dependency | Impacted work | Owner(s) | Status |
 | --- | --- | --- | --- |
 | Link-Not-Merge schema + APIs from Sprint 0113 | Tasks 1–4, 14 | Concelier Core/WebService · API Contracts | Pending upstream completion. |
 | Observability metrics foundation (CONCELIER-OBS-51-001) | Tasks 6–9 | Concelier Core · DevOps | Not started; required for downstream timeline/attestation hooks. |
 | Orchestrator registry/SDK contracts | Tasks 10–13 | Concelier Core · Orchestrator Guild | Coordination needed; no contract recorded yet. |
--- a/docs/implplan/SPRINT_0115_0001_0004_concelier_iv.md
+++ b/docs/implplan/SPRINT_0115_0001_0004_concelier_iv.md
@@ -0,0 +1,58 @@
 # Sprint 0115-0001-0004 · Concelier IV — Ingestion & Evidence (Phase 110.B)
 ## Topic & Scope
 - Extend Link-Not-Merge outputs to serve policy, risk, and notification consumers with provenance-preserving linksets and signals.
 - Backfill raw linksets and enforce tenant-aware linking so downstream services ingest fact-only advisory data.
 - Bridge Concelier evidence to Policy Studio and VEX Lens without introducing merge-era inference.
 - Working directory: `src/Concelier` (Core libraries, Storage.Mongo, WebService).
 ## Dependencies & Concurrency
 - Depends on Sprint 0114-0001-0003 (Concelier III) OpenAPI/observability foundations.
 - Policy enrichment chain (POLICY-20-002/003, POLICY-23-001/002) builds sequentially; events rely on prior indexes/cursors.
 - Risk signals (RISK-66…69) and tenant-aware linking hinge on upstream Link-Not-Merge data and AUTH/AOC scoping.
 ## Documentation Prerequisites
 - docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md
 - docs/modules/platform/architecture-overview.md
 - docs/modules/concelier/architecture.md (policy/risk/tenant scope sections)
 - docs/dev/raw-linkset-backfill-plan.md
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | CONCELIER-POLICY-20-002 | TODO | Depends on POLICY-20-001 (Sprint 0114) | Concelier Core Guild · Policy Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Expand linkset builders with vendor equivalence, NEVRA/PURL normalization, version-range parsing so policy joins are accurate without prioritizing sources. |
 | 2 | CONCELIER-POLICY-20-003 | TODO | Depends on 20-002 | Concelier Storage Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Advisory selection cursors + change-stream checkpoints for deterministic policy deltas; include offline migration scripts. |
 | 3 | CONCELIER-POLICY-23-001 | TODO | Depends on 20-003 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Secondary indexes/materialized views (alias, provider severity, confidence) to keep policy lookups fast without cached verdicts; document query patterns. |
 | 4 | CONCELIER-POLICY-23-002 | TODO | Depends on 23-001 | Concelier Core Guild · Platform Events Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Ensure `advisory.linkset.updated` events carry idempotent IDs, confidence summaries, tenant metadata for safe policy replay. |
 | 5 | CONCELIER-RISK-66-001 | TODO | Start of risk chain | Concelier Core Guild · Risk Engine Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Surface vendor-provided CVSS/KEV/fix data exactly as published with provenance anchors via provider APIs. |
 | 6 | CONCELIER-RISK-66-002 | TODO | Depends on 66-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit structured fix-availability metadata per observation/linkset (release version, advisory link, evidence timestamp) without guessing exploitability. |
 | 7 | CONCELIER-RISK-67-001 | TODO | Depends on 66-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Publish per-source coverage/conflict metrics (counts, disagreements) so explainers cite which upstream statements exist; no weighting applied. |
 | 8 | CONCELIER-RISK-68-001 | TODO | Depends on POLICY-RISK-68-001 | Concelier Core Guild · Policy Studio Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Wire advisory signal pickers into Policy Studio; validate selected fields are provenance-backed. |
 | 9 | CONCELIER-RISK-69-001 | TODO | Depends on 66-002 | Concelier Core Guild · Notifications Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit notifications on upstream advisory field changes (e.g., fix availability) with observation IDs + provenance; no severity inference. |
 | 10 | CONCELIER-SIG-26-001 | TODO | Depends on SIGNALS-24-002 | Concelier Core Guild · Signals Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Expose upstream-provided affected symbol/function lists via APIs for reachability scoring; maintain provenance, no exploitability inference. |
 | 11 | CONCELIER-STORE-AOC-19-005 | TODO (2025-11-04) | Depends on CONCELIER-CORE-AOC-19-004 | Concelier Storage Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Execute raw-linkset backfill/rollback plan so Mongo + Offline Kit bundles reflect Link-Not-Merge data; rehearse rollback. |
 | 12 | CONCELIER-TEN-48-001 | TODO | Depends on AUTH-TEN-47-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Enforce tenant scoping through normalization/linking; expose capability endpoint advertising `merge=false`; ensure events include tenant IDs. |
 | 13 | CONCELIER-VEXLENS-30-001 | TODO | Depends on CONCELIER-VULN-29-001, VEXLENS-30-005 | Concelier WebService Guild · VEX Lens Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Guarantee advisory key consistency and cross-links consumed by VEX Lens so consensus explanations cite Concelier evidence without merges. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md`. | Planning |
 | 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_115_concelier_iv.md` to `SPRINT_0115_0001_0004_concelier_iv.md`; no semantic changes. | Planning |
 ## Decisions & Risks
 - Policy enrichment chain must remain fact-only; any weighting or prioritization belongs to Policy Engine, not Concelier.
 - Raw linkset backfill (STORE-AOC-19-005) must preserve rollback paths to protect Offline Kit deployments.
 - Tenant-aware linking and notification hooks depend on Authority/Signals contracts; delays could stall AOC compliance and downstream alerts.
 ## Next Checkpoints
 - Plan backfill rehearsal window for STORE-AOC-19-005 once AUTH/AOC prerequisites clear (date TBD).
 - Schedule Policy Studio integration review after POLICY-20-003 cursors and indexes are available.
 ## Blockers & Dependencies (detailed)
 | Dependency | Impacted work | Owner(s) | Status |
 | --- | --- | --- | --- |
 | POLICY-20-001 outputs (Sprint 0114) | Tasks 1–4 | Concelier Core/WebService · Policy Guild | Upstream prerequisite. |
 | AUTH-TEN-47-001 tenant scope contract | Task 12 | Authority Guild · Concelier Core | Pending; required for tenant enforcement. |
 | SIGNALS-24-002 symbol data ingestion | Task 10 | Signals Guild · Concelier Core | Pending contract. |
 | CONCELIER-CORE-AOC-19-004 backfill pre-req | Task 11 | Concelier Core/Storage · DevOps | Needs completion before backfill rehearsal. |
--- a/docs/implplan/SPRINT_0116_0001_0005_concelier_v.md
+++ b/docs/implplan/SPRINT_0116_0001_0005_concelier_v.md
@@ -0,0 +1,60 @@
 # Sprint 0116-0001-0005 · Concelier V — Ingestion & Evidence (Phase 110.B)
 ## Topic & Scope
 - Harden Concelier ingestion for air-gapped and AOC scenarios with sealed-mode enforcement, timeline emission, and regression coverage.
 - Finalize Link-Not-Merge API/SDK alignment (error envelopes, examples, deprecation headers) and observability surfaces for Console/Vuln Explorer.
 - Address AOC guardrails and chunk evidence regressions to keep ingestion append-only and deterministic.
 - Working directory: `src/Concelier` (WebService focus).
 ## Dependencies & Concurrency
 - Depends on Sprint 0115-0001-0004 (Concelier IV) policy/risk and backfill readiness.
 - AirGap chain (WEB-AIRGAP-56/57/58) builds sequentially; sealed-mode must precede staleness surfacing and timeline events.
 - AOC regression tasks (WEB-AOC-19-003…007) rely on prior validators (WEB-AOC-19-002) and must land before large-batch ingest verification.
 ## Documentation Prerequisites
 - docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md
 - docs/modules/platform/architecture-overview.md
 - docs/modules/concelier/architecture.md (airgap, AOC, observability sections)
 - Link-Not-Merge API specs and error envelope guidelines
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | CONCELIER-VULN-29-004 | TODO | Depends on CONCELIER-VULN-29-001 | Concelier WebService Guild · Observability Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Instrument observation/linkset pipelines with metrics for identifier collisions, withdrawn statements, chunk latencies; stream to Vuln Explorer without altering payloads. |
 | 2 | CONCELIER-WEB-AIRGAP-56-001 | TODO | Start of AirGap chain | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Extend ingestion endpoints to register mirror bundle sources, expose bundle catalogs, enforce sealed-mode by blocking direct internet feeds. |
 | 3 | CONCELIER-WEB-AIRGAP-56-002 | TODO | Depends on 56-001 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Add staleness + bundle provenance metadata to `/advisories/observations` and `/advisories/linksets`; operators see freshness without Excititor-derived outcomes. |
 | 4 | CONCELIER-WEB-AIRGAP-57-001 | TODO | Depends on 56-002 | Concelier WebService Guild · AirGap Policy Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Map sealed-mode violations to `AIRGAP_EGRESS_BLOCKED` payloads with remediation guidance; keep advisory content untouched. |
 | 5 | CONCELIER-WEB-AIRGAP-58-001 | TODO | Depends on 57-001 | Concelier WebService Guild · AirGap Importer Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Emit timeline events for bundle imports (bundle ID, scope, actor) to capture every evidence change. |
 | 6 | CONCELIER-WEB-AOC-19-003 | TODO | Depends on WEB-AOC-19-002 | QA Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Unit tests for schema validators, forbidden-field guards (`ERR_AOC_001/2/6/7`), supersedes chains to keep ingestion append-only. |
 | 7 | CONCELIER-WEB-AOC-19-004 | TODO | Depends on 19-003 | Concelier WebService Guild · QA Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Integration tests ingesting large batches (cold/warm) verifying reproducible linksets; record metrics/fixtures for Offline Kit rehearsals. |
 | 8 | CONCELIER-WEB-AOC-19-005 | TODO (2025-11-08) | Depends on WEB-AOC-19-002 | Concelier WebService Guild · QA Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Fix `/advisories/{key}/chunks` test data so pre-seeded raw docs resolve; stop "Unable to locate advisory_raw documents" during tests. |
 | 9 | CONCELIER-WEB-AOC-19-006 | TODO (2025-11-08) | Depends on WEB-AOC-19-002 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Align default auth/tenant configs with fixtures so allowlisted tenants ingest before forbidden ones are rejected; close gap in `AdvisoryIngestEndpoint_RejectsTenantOutsideAllowlist`. |
 | 10 | CONCELIER-WEB-AOC-19-007 | TODO (2025-11-08) | Depends on WEB-AOC-19-002 | Concelier WebService Guild · QA Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Ensure AOC verify emits `ERR_AOC_001` (not `_004`); maintain mapper/guard parity with regression tests. |
 | 11 | CONCELIER-WEB-OAS-61-002 | TODO | Prereq for examples/deprecation | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Migrate APIs to standardized error envelope; update controllers/tests accordingly. |
 | 12 | CONCELIER-WEB-OAS-62-001 | TODO | Depends on 61-002 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Publish curated examples for observations/linksets/conflicts; wire into developer portal. |
 | 13 | CONCELIER-WEB-OAS-63-001 | TODO | Depends on 62-001 | Concelier WebService Guild · API Governance Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Emit deprecation headers + notifications for retiring endpoints, steering clients toward Link-Not-Merge APIs. |
 | 14 | CONCELIER-WEB-OBS-51-001 | TODO | Depends on CONCELIER-WEB-OBS-50-001 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/obs/concelier/health` surfaces for ingest health, queue depth, SLO status for Console widgets. |
 | 15 | CONCELIER-WEB-OBS-52-001 | TODO | Depends on 51-001 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | SSE stream `/obs/concelier/timeline` with paging tokens, guardrails, audit logging for live evidence monitoring. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md`. | Planning |
 | 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_116_concelier_v.md` to `SPRINT_0116_0001_0005_concelier_v.md`; no semantic changes. | Planning |
 ## Decisions & Risks
 - AirGap sealed-mode enforcement must precede staleness surfaces/timeline events to avoid leaking non-mirror sources.
 - AOC regression fixes are required before large-batch ingest verification; failing to align allowlist/auth configs risks false negatives in tests.
 - Standardized error envelope is prerequisite for SDK/doc alignment; delays block developer portal updates.
 ## Next Checkpoints
 - Plan sealed-mode remediation payload review once WEB-AIRGAP-56-002 is drafted (date TBD).
 - Schedule regression test run after WEB-AOC-19-003 lands to validate batch ingest and chunk evidence fixes.
 ## Blockers & Dependencies (detailed)
 | Dependency | Impacted work | Owner(s) | Status |
 | --- | --- | --- | --- |
 | AirGap mirror import plumbing (WEB-AIRGAP-56-001) | Tasks 3–5 | Concelier WebService · AirGap Guilds | Not started; prerequisite for staleness and timeline work. |
 | AOC validator updates (WEB-AOC-19-002) | Tasks 6–10 | Concelier WebService · QA | Required to unblock guardrail/regression tasks. |
 | Error envelope standard (WEB-OAS-61-002) | Tasks 12–13 | Concelier WebService · API Governance | Prerequisite for examples and deprecation headers. |
 | Observability base (WEB-OBS-50-001) | Tasks 14–15 | Concelier WebService | Upstream dependency for health/timeline surfaces. |
--- a/docs/implplan/SPRINT_0117_0001_0006_concelier_vi.md
+++ b/docs/implplan/SPRINT_0117_0001_0006_concelier_vi.md
@@ -0,0 +1,52 @@
 # Sprint 0117-0001-0006 · Concelier VI — Ingestion & Evidence (Phase 110.B)
 ## Topic & Scope
 - Expose evidence locker and attestation data through Concelier APIs with provenance-preserving contracts and incident-mode controls.
 - Finish connector-side Link-Not-Merge provenance for version ranges (CCCS, CERT-Bund, Cisco) to feed canonical observations.
 - Keep migration docs aligned as connectors adopt new schemas.
 - Working directory: `src/Concelier` (WebService + Connector libraries) and `docs` (migration).
 ## Dependencies & Concurrency
 - Depends on Sprint 0116-0001-0005 for observability timeline stream and error envelope readiness.
 - Evidence locker/attestation endpoints (WEB-OBS-53/54/55) rely on Link-Not-Merge observation schema and prior SSE timeline work.
 - Connector tasks depend on CONCELIER-LNM-21-001 schema; must proceed per-connector while keeping migration docs in sync.
 ## Documentation Prerequisites
 - docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md
 - docs/modules/platform/architecture-overview.md
 - docs/modules/concelier/architecture.md (connectors, evidence locker integration)
 - docs/migration/no-merge.md
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | CONCELIER-WEB-OBS-53-001 | TODO | Depends on WEB-OBS-52-001 (Sprint 0116) | Concelier WebService Guild · Evidence Locker Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Add `/evidence/advisories/*` routes proxying evidence locker snapshots, verifying `evidence:read` scopes, returning signed manifest metadata—no raw storage shortcuts. |
 | 2 | CONCELIER-WEB-OBS-54-001 | TODO | Depends on 53-001 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Provide `/attestations/advisories/*` endpoints with DSSE status, verification summary, provenance chain so CLI/Console audit trust without DB hits. |
 | 3 | CONCELIER-WEB-OBS-55-001 | TODO | Depends on 54-001 | Concelier WebService Guild · DevOps Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Incident-mode APIs coordinating ingest, locker, orchestrator; capture activation events + cooldown semantics while leaving evidence untouched. |
 | 4 | FEEDCONN-CCCS-02-009 | TODO | Depends on CONCELIER-LNM-21-001 | Concelier Connector Guild – CCCS (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs`) | Emit CCCS version ranges into `advisory_observations.affected.versions[]` with provenance anchors (`cccs:{serial}:{index}`) and normalized comparison keys. |
 | 5 | FEEDCONN-CERTBUND-02-010 | TODO | Depends on CONCELIER-LNM-21-001 | Concelier Connector Guild – CertBund (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund`) | Translate CERT-Bund `product.Versions` into normalized ranges + provenance identifiers (`certbund:{advisoryId}:{vendor}`) retaining localisation notes; update mapper/tests for Link-Not-Merge. |
 | 6 | FEEDCONN-CISCO-02-009 | DOING (2025-11-08) | Depends on CONCELIER-LNM-21-001 | Concelier Connector Guild – Cisco (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco`) | Emit Cisco SemVer ranges into observation schema with provenance IDs (`cisco:{productId}`) and deterministic comparison keys; refresh fixtures to remove merge counters. |
 | 7 | DOCS-LNM-22-008 | DONE (2025-11-03) | Keep synced with connector migrations | Docs Guild · DevOps Guild (`docs`) | `docs/migration/no-merge.md` documents Link-Not-Merge migration plan. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-03 | Documented Link-Not-Merge migration plan (`docs/migration/no-merge.md`). | Docs Guild |
 | 2025-11-08 | Connector Cisco task marked DOING; others pending Link-Not-Merge schema. | Connector PM |
 | 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_117_concelier_vi.md` to `SPRINT_0117_0001_0006_concelier_vi.md`; no semantic changes. | Planning |
 ## Decisions & Risks
 - Evidence locker/attestation exposure depends on stable `/obs` timeline stream and evidence scope checks; lacking these risks bypass paths.
 - Connector version-range provenance must align with Link-Not-Merge schema; inconsistencies could break deterministic comparisons across feeds.
 - Incident-mode toggles need orchestrator/locker coordination; absence of shared semantics risks divergent behavior across services.
 ## Next Checkpoints
 - Schedule evidence locker API contract review once WEB-OBS-52-001 ships (date TBD).
 - Connector sync to validate range normalization across CCCS, CERT-Bund, Cisco after initial implementations.
 ## Blockers & Dependencies (detailed)
 | Dependency | Impacted work | Owner(s) | Status |
 | --- | --- | --- | --- |
 | WEB-OBS-52-001 timeline stream (Sprint 0116) | Tasks 1–3 | Concelier WebService · DevOps | Upstream dependency not yet delivered. |
 | Link-Not-Merge observation schema (CONCELIER-LNM-21-001) | Tasks 4–6 | Connector Guilds | Required for normalized range emission. |
 | Orchestrator/locker incident-mode contract | Task 3 | DevOps · Concelier WebService | Needs definition; no shared semantics recorded. |
--- a/docs/implplan/SPRINT_0119_0001_0001_excititor_i.md
+++ b/docs/implplan/SPRINT_0119_0001_0001_excititor_i.md
@@ -0,0 +1,82 @@
 # Sprint 0119_0001_0001 · Excititor Ingestion & Evidence (Phase I)
 ## Topic & Scope
 - Stand up Advisory-AI evidence projection APIs (Excititor I) plus ingestion/attestation chain that stays aggregation-only prior to consensus.
 - Deliver telemetry and guardrails so RAG clients and Lens can observe usage; prep mirror-first + sealed-mode ingestion and portable evidence bundles for air-gapped deployments.
 - Establish attestation verifier harness and provenance linkage so Advisory AI can cite supplier identity without Excititor interpreting verdicts.
 - **Working directory:** `src/Excititor` (WebService, Core, Attestation, Connectors; shared EvidenceLocker/Export touchpoints only as noted).
 ## Dependencies & Concurrency
 - Upstream: Sprint 100.A (Attestor DSSE verification); Export Center mirror bundle manifest (Sprint 162) and EvidenceLocker portable format (Sprints 160/161); Ops/Signals span sink deployment for observability; connector signer metadata delivery.
 - Concurrency: Advisory-AI API tasks can proceed while telemetry export waits on Ops span sink; AirGap 56/57/58 blocked on Export Center schema; Attestation 73-* blocked on 01-003 completion.
 - Peers: runs parallel with other Excititor batches; no CC-decade conflicts noted once dependencies above land.
 ## Documentation Prerequisites
 - `docs/modules/excititor/architecture.md`
 - `docs/modules/excititor/README.md#latest-updates`
 - `docs/modules/excititor/mirrors.md`
 - `docs/modules/excititor/operations/*`
 - `docs/modules/excititor/implementation_plan.md`
 - Excititor component `AGENTS.md` files within each working directory (WebService, Core, Attestation, Connectors).
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | EXCITITOR-AIAI-31-001 | DONE (2025-11-12) | Available to Advisory AI; monitor usage. | Excititor WebService Guild | Expose normalized VEX justifications, scope trees, and anchors via `VexObservation` projections so Advisory AI can cite raw evidence without consensus logic. |
 | 2 | EXCITITOR-AIAI-31-002 | TODO | Start `/vex/evidence/chunks`; reuse 31-001 outputs. | Excititor WebService Guild | Stream raw statements + signature metadata with tenant/policy filters for RAG clients; aggregation-only, reference observation/linkset IDs. |
 | 3 | EXCITITOR-AIAI-31-003 | DOING (in review 2025-11-13) | Await Ops span sink; finalize metrics wiring. | Excititor WebService Guild · Observability Guild | Instrument evidence APIs with request counters, chunk histograms, signature-failure + AOC guard-violation meters. |
 | 4 | EXCITITOR-AIAI-31-004 | TODO | Finalize OpenAPI/SDK/docs once 31-002/003 stabilize. | Excititor WebService Guild · Docs Guild | Codify Advisory-AI evidence contract, determinism guarantees, and mapping of observation IDs to storage. |
 | 5 | EXCITITOR-AIRGAP-56-001 | TODO | Waiting on Export Center mirror bundle schema (Sprint 162). | Excititor Core Guild | Mirror-first ingestion that preserves upstream digests, bundle IDs, and provenance for offline parity. |
 | 6 | EXCITITOR-AIRGAP-57-001 | TODO | Blocked on 56-001; define sealed-mode errors. | Excititor Core Guild · AirGap Policy Guild | Enforce sealed-mode policies, remediation errors, and staleness annotations surfaced to Advisory AI. |
 | 7 | EXCITITOR-AIRGAP-58-001 | TODO | Depends on 57-001 and EvidenceLocker portable format (160/161). | Excititor Core Guild · Evidence Locker Guild | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events. |
 | 8 | EXCITITOR-ATTEST-01-003 | DOING (since 2025-11-06) | Complete verifier harness + diagnostics. | Excititor Attestation Guild | Finish `IVexAttestationVerifier`, wire structured diagnostics/metrics, and prove DSSE bundle verification without touching consensus results. |
 | 9 | EXCITITOR-ATTEST-73-001 | TODO | Blocked on 01-003; prep payload spec. | Excititor Core · Attestation Payloads Guild | Emit attestation payloads capturing supplier identity, justification summary, and scope metadata for trust chaining. |
 | 10 | EXCITITOR-ATTEST-73-002 | TODO | Blocked on 73-001; design linkage API. | Excititor Core Guild | Provide APIs linking attestation IDs back to observation/linkset/product tuples for provenance citations without derived verdicts. |
 | 11 | EXCITITOR-CONN-TRUST-01-001 | TODO | Await connector signer metadata schema (review 2025-11-14). | Excititor Connectors Guild | Add signer fingerprints, issuer tiers, and bundle references to MSRC/Oracle/Ubuntu/Stella connectors; document consumer guidance. |
 ### Task Clusters & Readiness
 - **Advisory-AI evidence APIs:** 31-001 delivered; 31-003 instrumentation and 31-004 docs pending; ready to start once examples and telemetry fixtures finalize.
 - **AirGap ingestion & portable bundles:** 56/57/58 gated on Export Center schema and EvidenceLocker format; need sealed-mode error catalog and timeline mapping.
 - **Attestation & provenance chain:** 01-003 harness/diagnostics first, then 73-001 payload spec and 73-002 linkage docs.
 - **Connector provenance parity:** Inventory signer metadata, define shared fingerprint/tier schema, update connector acceptance tests.
 ## Action Tracker
 | Focus | Action | Owner(s) | Due | Status |
 | --- | --- | --- | --- | --- |
 | Advisory-AI APIs | Publish finalized OpenAPI schema + SDK notes for projection API (31-004). | Excititor WebService Guild · Docs Guild | 2025-11-15 | In review (draft shared 2025-11-13) |
 | Observability | Wire metrics/traces for `/v1/vex/observations/**` (31-003) and document dashboards. | Excititor WebService Guild · Observability Guild | 2025-11-16 | Blocked (code + runbook ready; waiting on Ops span sink deploy) |
 | AirGap | Capture mirror bundle schema + sealed-mode toggle requirements for 56/57. | Excititor Core Guild · AirGap Policy Guild | 2025-11-17 | Pending |
 | Portable bundles | Draft bundle manifest + EvidenceLocker linkage notes for 58-001. | Excititor Core Guild · Evidence Locker Guild | 2025-11-18 | Pending |
 | Attestation | Complete verifier suite + diagnostics for 01-003. | Excititor Attestation Guild | 2025-11-16 | In progress (verifier harness ~80% complete) |
 | Connectors | Inventory signer metadata + plan rollout for MSRC/Oracle/Ubuntu/Stella connectors (CONN-TRUST-01-001). | Excititor Connectors Guild | 2025-11-19 | Pending (schema draft expected 2025-11-14) |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-12 | Snapshot refreshed; 31-001 marked DONE; other tasks pending observability, AirGap schemas, and attestation verifier completion. | Excititor PM |
 | 2025-11-13 | Added readiness checklists and action tracker; awaiting Export Center mirror schema and Attestor verifier rehearsals. | Excititor PM |
 | 2025-11-13 | OpenAPI draft for 31-004 shared; observability wiring blocked until Ops deploys span sink. | WebService Guild |
 | 2025-11-14 | Connector provenance schema review scheduled; Export Center mirror schema still pending, keeping 56/57 blocked. | Connectors Guild |
 | 2025-11-14 | 31-003 instrumentation (counters, chunk histogram, signature failure + guard-violation meters) merged; telemetry export blocked on span sink rollout. | WebService Guild |
 | 2025-11-14 | Published `docs/modules/excititor/operations/observability.md` covering new evidence metrics for Ops/Lens dashboards. | Observability Guild |
 | 2025-11-16 | Normalized sprint file to standard template, renamed to SPRINT_0119_0001_0001_excititor_i.md, and updated tasks-all references. | Planning |
 ## Decisions & Risks
 - **Decisions**
  - Until Ops span sink lands, keep observability fallback to log-only counters per `docs/modules/excititor/operations/observability.md`.
  - If Export Center mirror schema slips, temporarily use placeholder from `docs/modules/export-center/architecture.md` with deltas noted; escalate to Export Center leads.
  - Advisory-AI consumers must map observation IDs via projection service; keep aggregation-only stance (no consensus logic) for all new APIs.
 - **Risks & Mitigations**
  - Observability sinks not ready for 31-003 → reuse Signals dashboards; ship log-only fallback. Severity: Medium.
  - Mirror bundle schema slips (Export Center/AirGap) → use placeholder schema; escalate; severity: High.
  - Attestation verifier misses 2025-11-16 target → daily stand-ups; parallel diagnostics; severity: High.
  - Connector signer metadata incomplete → stage connector-specific TODOs and feature flag partial rollout; severity: Medium.
 ## Next Checkpoints
 | Date (UTC) | Session / Owner | Goal | Fallback |
 | --- | --- | --- | --- |
 | 2025-11-14 | Connector provenance schema review (Connectors + Security Guilds) | Approve signer fingerprint + issuer tier schema for CONN-TRUST-01-001. | If schema not ready, keep task blocked and request interim metadata list from connectors. |
 | 2025-11-15 | Export Center mirror schema sync (Export Center + Excititor + AirGap) | Receive mirror bundle manifest to unblock 56/57. | If delayed, escalate to Sprint 162 leads and use placeholder spec with clearly marked TODO. |
 | 2025-11-16 | Attestation verifier rehearsal (Excititor Attestation Guild) | Demo `IVexAttestationVerifier` harness + diagnostics to unblock 73-* tasks. | If issues persist, log BLOCKED status in attestation plan and re-forecast completion. |
 | 2025-11-18 | Observability span sink deploy (Ops/Signals Guild) | Enable telemetry pipeline needed for 31-003. | If deploy slips, implement temporary counters/logs and keep action tracker flagged as blocked. |
 | 2025-11-19 | Connector metadata inventory (Connectors Guild) | Confirm signer metadata coverage for CONN-TRUST-01-001 rollout. | Fall back to partial coverage with feature flags. |
--- a/docs/implplan/SPRINT_0120_0000_0001_policy_reasoning.md
+++ b/docs/implplan/SPRINT_0120_0000_0001_policy_reasoning.md
@@ -0,0 +1,78 @@
 # Sprint 0120-0000-0001 · Policy & Reasoning
 ## Topic & Scope
 - Deliver ledger observability baselines (LEDGER-29-007/008/009) so Policy teams can trust ingestion, anchoring, and replay at >5 M findings/tenant.
 - Extend ledger provenance to orchestrator jobs, air-gapped bundle imports, and attestation evidence (LEDGER-34-101, LEDGER-AIRGAP-56/57/58, LEDGER-ATTEST-73-001).
 - Ship deployment collateral (Helm/Compose, backup/restore, offline kit) so downstream guilds can adopt without bespoke guidance.
 - Working directory: `src/Findings/StellaOps.Findings.Ledger`.
 ## Dependencies & Concurrency
 - Upstream obligations: Sprint 110.A AdvisoryAI must land; Observability Guild must sign off `ledger_*` metric schema; mirror bundle schema freeze required before LEDGER-AIRGAP-*; attestation pointer schema must align with NOTIFY-ATTEST-74-001.
 - Concurrency guardrails: execute tasks in order DOING → TODO → BLOCKED; orchestrator export contract is tracked with Sprint 150.A to avoid cross-guild contention.
 - Entry criteria: upstream AdvisoryAI deliverables complete; Observability-approved metric names/labels; published mirror bundle schemas for AirGap kits.
 - Exit criteria: metrics/logs/dashboards live in ops telemetry packs with alerts; determinism/load harness produces signed 5 M findings report; deployment manifests + offline kits reviewed by DevOps/AirGap guilds; ledger records pointers to orchestrator runs, bundle provenance, and attestation envelopes.
 **External dependency tracker**
 | Dependency | Current state (2025-11-13) | Impact |
 | --- | --- | --- |
 | Sprint 110.A AdvisoryAI | DONE | Enables Findings.I start; monitor regressions. |
 | Observability metric schema | IN REVIEW | Blocks LEDGER-29-007/008 dashboards. |
 | Orchestrator job export contract | TODO | Required for LEDGER-34-101; tracked in Sprint 150.A wave table. |
 | Mirror bundle schema | DRAFT | Needed for LEDGER-AIRGAP-56/57/58 messaging + manifests. |
 | Attestation pointer schema | DRAFT | Needs alignment with NOTIFY-ATTEST-74-001 to reuse DSSE IDs. |
 **Cluster snapshot**
 | Cluster | Linked tasks | Owners | Status snapshot | Notes |
 | --- | --- | --- | --- | --- |
 | Observability & diagnostics | LEDGER-29-007/008 | Findings Ledger Guild · Observability Guild · QA Guild | TODO | Metric/log spec captured in `docs/modules/findings-ledger/observability.md`; determinism harness spec in `docs/modules/findings-ledger/replay-harness.md`; sequencing captured in `docs/modules/findings-ledger/implementation_plan.md`; awaiting Observability sign-off + Grafana JSON export (target 2025-11-15). |
 | Deployment & backup | LEDGER-29-009 | Findings Ledger Guild · DevOps Guild | TODO | Baseline deployment/backup guide published (`docs/modules/findings-ledger/deployment.md`); need to align Compose/Helm overlays + automate migrations. |
 | Orchestrator provenance | LEDGER-34-101 | Findings Ledger Guild | TODO | Blocked until Orchestrator exports job ledger payload; coordinate with Sprint 150.A. |
 | Air-gap provenance & staleness | LEDGER-AIRGAP-56/57/58 series | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | TODO | Requirements captured in `docs/modules/findings-ledger/airgap-provenance.md`; blocked on mirror bundle schema freeze + AirGap controller inputs. |
 | Attestation linkage | LEDGER-ATTEST-73-001 | Findings Ledger Guild · Attestor Service Guild | TODO | Waiting on attestation payload pointers from NOTIFY-ATTEST-74-001 work to reuse DSSE IDs. |
 ## Documentation Prerequisites
 - `docs/modules/findings-ledger/observability.md`
 - `docs/modules/findings-ledger/replay-harness.md`
 - `docs/modules/findings-ledger/deployment.md`
 - `docs/modules/findings-ledger/implementation_plan.md`
 - `docs/modules/findings-ledger/airgap-provenance.md`
 - `docs/observability/policy.md`
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | LEDGER-29-007 | TODO | Observability metric schema sign-off; deps LEDGER-29-006 | Findings Ledger Guild, Observability Guild / `src/Findings/StellaOps.Findings.Ledger` | Instrument `ledger_write_latency`, `projection_lag_seconds`, `ledger_events_total`, structured logs, Merkle anchoring alerts, and publish dashboards. |
 | 2 | LEDGER-29-008 | TODO | Depends on LEDGER-29-007 instrumentation | Findings Ledger Guild, QA Guild / `src/Findings/StellaOps.Findings.Ledger` | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5 M findings/tenant. |
 | 3 | LEDGER-29-009 | TODO | Depends on LEDGER-29-008 harness results | Findings Ledger Guild, DevOps Guild / `src/Findings/StellaOps.Findings.Ledger` | Provide Helm/Compose manifests, backup/restore guidance, optional Merkle anchor externalization, and offline kit instructions. |
 | 4 | LEDGER-34-101 | TODO | Orchestrator ledger export contract (Sprint 150.A) | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries. |
 | 5 | LEDGER-AIRGAP-56-001 | TODO | Mirror bundle schema freeze | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles. |
 | 6 | LEDGER-AIRGAP-56-002 | TODO | Depends on LEDGER-AIRGAP-56-001 | Findings Ledger Guild, AirGap Time Guild / `src/Findings/StellaOps.Findings.Ledger` | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging. |
 | 7 | LEDGER-AIRGAP-57-001 | TODO | Depends on LEDGER-AIRGAP-56-002 | Findings Ledger Guild, Evidence Locker Guild / `src/Findings/StellaOps.Findings.Ledger` | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works. |
 | 8 | LEDGER-AIRGAP-58-001 | TODO | Depends on LEDGER-AIRGAP-57-001 | Findings Ledger Guild, AirGap Controller Guild / `src/Findings/StellaOps.Findings.Ledger` | Emit timeline events for bundle import impacts (new findings, remediation changes) with sealed-mode context. |
 | 9 | LEDGER-ATTEST-73-001 | TODO | Attestation pointer schema alignment with NOTIFY-ATTEST-74-001 | Findings Ledger Guild, Attestor Service Guild / `src/Findings/StellaOps.Findings.Ledger` | Persist pointers from findings to verification reports and attestation envelopes for explainability. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-13 09:30 | Documented Findings.I scope, milestones, and external dependencies; awaiting Observability + Orchestrator inputs before flipping any tasks to DOING. | Findings Ledger Guild |
 | 2025-11-13 10:45 | Published `docs/modules/findings-ledger/observability.md` detailing metrics/logs/alerts required for LEDGER-29-007/008; sent draft to Observability Guild for review. | Findings Ledger Guild |
 | 2025-11-13 11:20 | Added `docs/modules/findings-ledger/deployment.md` covering Compose/Helm rollout, migrations, backup/restore, and offline workflows for LEDGER-29-009. | Findings Ledger Guild |
 | 2025-11-13 11:50 | Added `docs/modules/findings-ledger/replay-harness.md` outlining fixtures, CLI workflow, and reporting for LEDGER-29-008 determinism tests. | Findings Ledger Guild |
 | 2025-11-13 12:05 | Drafted `docs/modules/findings-ledger/implementation_plan.md` summarizing phase sequencing and dependencies for Findings.I. | Findings Ledger Guild |
 | 2025-11-13 12:25 | Authored `docs/modules/findings-ledger/airgap-provenance.md` detailing bundle provenance, staleness, evidence snapshot, and timeline requirements for LEDGER-AIRGAP-56/57/58. | Findings Ledger Guild |
 | 2025-11-16 | Normalised sprint to standard template and renamed to `SPRINT_0120_0000_0001_policy_reasoning.md`; no content changes beyond reformat. | Project Management |
 | 2025-11-16 | Added `src/Findings/AGENTS.md` synthesising required reading, boundaries, determinism/observability rules for implementers. | Project Management |
 ## Decisions & Risks
 - Metric names locked by 2025-11-15 and documented in `docs/observability/policy.md` to avoid schema churn.
 - Replay workload risk: 5 M findings load may exceed lab capacity; mitigation is to use the QA replay rig and capture CPU/memory budgets in runbooks.
 - Air-gap drift risk: mirror bundle format still moving; mitigation is to version the provenance schema and gate LEDGER-AIRGAP-* merges until docs/manifests updated.
 - Cross-guild lag risk: Orchestrator/Attestor dependencies may delay provenance pointers; mitigation is weekly sync notes and feature flags so ledger work can land behind toggles.
 - Implementer contract now anchored in `src/Findings/AGENTS.md`; keep in sync with module docs and update sprint log when changed.
 ## Next Checkpoints
 - 2025-11-15 · Metrics + dashboard schema sign-off — Observability Guild — unblocks LEDGER-29-007 instrumentation PR.
 - 2025-11-18 · Determinism + replay harness dry-run at 5 M findings — QA Guild — required before LEDGER-29-008 can close.
 - 2025-11-20 · Helm/Compose manifests + backup doc review — DevOps Guild · AirGap Controller Guild — needed for LEDGER-29-009 + LEDGER-AIRGAP-56-001.
 - 2025-11-22 · Mirror bundle provenance schema freeze — AirGap Time Guild — enables LEDGER-AIRGAP-56/57/58 sequencing.
 - 2025-11-25 · Orchestrator ledger export contract signed — Orchestrator Guild — prerequisite for LEDGER-34-101 linkage.
--- a/docs/implplan/SPRINT_110_ingestion_evidence.md
+++ b/docs/implplan/SPRINT_110_ingestion_evidence.md
@@ -23,32 +23,34 @@
 | --- | --- | --- | --- | --- | --- |
 | 110.A Advisory AI | DOCS-AIAI-31-004 | DOING | Docs Guild · Console Guild | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-001/003 | Guardrail console doc drafted; screenshots + SBOM evidence pending. |
 | 110.A Advisory AI | AIAI-31-009 | DONE (2025-11-12) | Advisory AI Guild | — | Regression suite + `AdvisoryAI:Guardrails` config landed with perf budgets. |
-| 110.A Advisory AI | AIAI-31-008 | TODO | Advisory AI Guild | AIAI-31-006; AIAI-31-007 | Remote inference packaging queued behind policy knob work. |
+| 110.A Advisory AI | AIAI-31-008 | BLOCKED | Advisory AI Guild | AIAI-31-006; AIAI-31-007 | Blocked pending policy knob deliverables (AIAI-31-006/007). |
 | 110.A Advisory AI | SBOM-AIAI-31-003 | BLOCKED | SBOM Service Guild | SBOM-AIAI-31-001; CLI-VULN-29-001; CLI-VEX-30-001 | Needs SBOM delta kit + CLI deliverables before validation can proceed. |
 | 110.A Advisory AI | DOCS-AIAI-31-005/006/008/009 | BLOCKED | Docs Guild | DOCS-AIAI-31-004; CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | CLI/policy/ops docs paused pending upstream artefacts. |
-| 110.B Concelier | CONCELIER-AIAI-31-002 | DOING | Concelier Core · Concelier WebService Guilds | CONCELIER-GRAPH-21-001/002; CARTO-GRAPH-21-002 | Structured field/caching implementation gated on schema approval. |
+| 110.B Concelier | CONCELIER-AIAI-31-002 | BLOCKED | Concelier Core · Concelier WebService Guilds | CONCELIER-GRAPH-21-001/002; CARTO-GRAPH-21-002 | Blocked: Link-Not-Merge schema still not approved; cannot finalize structured field/caching. |
 | 110.B Concelier | CONCELIER-AIAI-31-003 | DONE (2025-11-12) | Concelier Observability Guild | — | Telemetry counters/histograms live for Advisory AI dashboards. |
-| 110.B Concelier | CONCELIER-AIRGAP-56-001..58-001 | TODO | Concelier Core · AirGap Guilds | Link-Not-Merge schema; Evidence Locker attestation contract | Air-gap bundles waiting on stable schema + attestation payloads. |
+| 110.B Concelier | CONCELIER-AIRGAP-56-001..58-001 | BLOCKED | Concelier Core · AirGap Guilds | Link-Not-Merge schema; Evidence Locker attestation contract | Blocked until schema approval + attestation scope sign-off. |
-| 110.B Concelier | CONCELIER-CONSOLE-23-001..003 | TODO | Concelier Console Guild | Link-Not-Merge schema | Console overlays blocked until schema signed off. |
+| 110.B Concelier | CONCELIER-CONSOLE-23-001..003 | BLOCKED | Concelier Console Guild | Link-Not-Merge schema | Blocked pending Link-Not-Merge schema approval. |
-| 110.B Concelier | CONCELIER-ATTEST-73-001/002 | TODO | Concelier Core · Evidence Locker Guild | CONCELIER-AIAI-31-002; Evidence Locker contract | Attestation metadata wiring follows structured caching. |
+| 110.B Concelier | CONCELIER-ATTEST-73-001/002 | BLOCKED | Concelier Core · Evidence Locker Guild | CONCELIER-AIAI-31-002; Evidence Locker contract | Blocked until structured caching lands and Evidence Locker contract finalises. |
 | 110.B Concelier | FEEDCONN-ICSCISA-02-012 / FEEDCONN-KISA-02-008 | BLOCKED | Concelier Feed Owners | Feed owner remediation plan | Overdue provenance refreshes require schedule from feed owners. |
 | 110.C Excititor | EXCITITOR-AIAI-31-001 | DONE (2025-11-09) | Excititor Web/Core Guilds | — | Normalised VEX justification projections shipped. |
-| 110.C Excititor | EXCITITOR-AIAI-31-002 | TODO | Excititor Web/Core Guilds | Link-Not-Merge schema; Evidence Locker contract | Chunk API waiting on schema + ingest agreements. |
+| 110.C Excititor | EXCITITOR-AIAI-31-002 | BLOCKED | Excititor Web/Core Guilds | Link-Not-Merge schema; Evidence Locker contract | Blocked until schema + ingest contract approved. |
-| 110.C Excititor | EXCITITOR-AIAI-31-003 | TODO | Excititor Observability Guild | EXCITITOR-AIAI-31-002 | Telemetry/guardrail metrics follow chunk API. |
+| 110.C Excititor | EXCITITOR-AIAI-31-003 | BLOCKED | Excititor Observability Guild | EXCITITOR-AIAI-31-002 | Blocked behind EXCITITOR-AIAI-31-002. |
-| 110.C Excititor | EXCITITOR-AIAI-31-004 | TODO | Docs Guild · Excititor Guild | EXCITITOR-AIAI-31-002 | Docs/OpenAPI alignment queued behind chunk API finalisation. |
+| 110.C Excititor | EXCITITOR-AIAI-31-004 | BLOCKED | Docs Guild · Excititor Guild | EXCITITOR-AIAI-31-002 | Blocked until chunk API finalized. |
-| 110.C Excititor | EXCITITOR-ATTEST-01-003 / 73-001 / 73-002 | TODO | Excititor Guild · Evidence Locker Guild | EXCITITOR-AIAI-31-002; Evidence Locker contract | Attestation payload ordering awaiting sequencing session. |
+| 110.C Excititor | EXCITITOR-ATTEST-01-003 / 73-001 / 73-002 | BLOCKED | Excititor Guild · Evidence Locker Guild | EXCITITOR-AIAI-31-002; Evidence Locker contract | Blocked pending chunk API + Evidence Locker attestation scope. |
-| 110.C Excititor | EXCITITOR-AIRGAP-56/57/58 · EXCITITOR-CONN-TRUST-01-001 | TODO | Excititor Guild · AirGap Guilds | Link-Not-Merge schema; attestation plan | Air-gap + connector parity depend on schema + attestation readiness. |
+| 110.C Excititor | EXCITITOR-AIRGAP-56/57/58 · EXCITITOR-CONN-TRUST-01-001 | BLOCKED | Excititor Guild · AirGap Guilds | Link-Not-Merge schema; attestation plan | Blocked until schema + attestation readiness. |
-| 110.D Mirror | MIRROR-CRT-56-001 | TODO | Mirror Creator Guild | Staffing decision | Deterministic assembler has no owner; kickoff rescheduled to 2025-11-15. |
+| 110.D Mirror | MIRROR-CRT-56-001 | BLOCKED | Mirror Creator Guild | Staffing decision | Blocked: no owner assigned; kickoff slipped past 2025-11-15. |
-| 110.D Mirror | MIRROR-CRT-56-002 | TODO | Mirror Creator · Security Guilds | MIRROR-CRT-56-001; PROV-OBS-53-001 | DSSE/TUF metadata follows assembler baseline. |
+| 110.D Mirror | MIRROR-CRT-56-002 | BLOCKED | Mirror Creator · Security Guilds | MIRROR-CRT-56-001; PROV-OBS-53-001 | Blocked until MIRROR-CRT-56-001 staffed. |
-| 110.D Mirror | MIRROR-CRT-57-001/002 | TODO | Mirror Creator Guild · AirGap Time Guild | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | OCI/time-anchor workstreams blocked pending assembler + time contract. |
+| 110.D Mirror | MIRROR-CRT-57-001/002 | BLOCKED | Mirror Creator Guild · AirGap Time Guild | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | Blocked; upstream staffing unresolved. |
-| 110.D Mirror | MIRROR-CRT-58-001/002 | TODO | Mirror Creator Guild · CLI Guild · Exporter Guild | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | CLI + Export automation depends on assembler and DSSE/TUF track. |
+| 110.D Mirror | MIRROR-CRT-58-001/002 | BLOCKED | Mirror Creator Guild · CLI Guild · Exporter Guild | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | Blocked until assembler staffed and upstream contracts agreed. |
-| 110.D Mirror | EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 | TODO | Exporter Guild · AirGap Time Guild · CLI Guild | MIRROR-CRT-56-001 staffing | Downstream automation awaiting assembler staffing outcome. |
+| 110.D Mirror | EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 | BLOCKED | Exporter Guild · AirGap Time Guild · CLI Guild | MIRROR-CRT-56-001 staffing | Blocked pending MIRROR-CRT-56-001 ownership. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-13 | Refreshed wave tracker, decisions, and contingency plan ahead of 14–15 Nov checkpoints; outstanding asks: SBOM/CLI/Policy/DevOps ETAs, Link-Not-Merge approval, Mirror staffing. | Sprint 110 leads |
 | 2025-11-09 | Captured initial wave scope, interlocks, and risks covering SBOM/CLI/Policy/DevOps artefacts, Link-Not-Merge schemas, Excititor justification backlog, and Mirror assembler commitments. | Sprint 110 leads |
 | 2025-11-16 | Updated task board: marked Advisory AI packaging, Concelier air-gap/console/attestation tracks, Excititor chunk/attestation/air-gap tracks, and all Mirror tracks as BLOCKED pending schema approvals, Evidence Locker contract, and Mirror staffing decisions. | Implementer |
 | 2025-11-16 | Marked CONCELIER-AIAI-31-002 BLOCKED (waiting on Link-Not-Merge schema approval); progressed DOCS-AIAI-31-004 doc draft. | Implementer |
 ## Decisions & Risks
 ### Decisions in flight
--- a/docs/implplan/SPRINT_111_advisoryai.md
+++ b/docs/implplan/SPRINT_111_advisoryai.md
@@ -12,16 +12,19 @@ DOCS-AIAI-31-006 | DONE (2025-11-13) | `/docs/policy/assistant-parameters.md` no
 > 2025-11-13: Published `docs/policy/assistant-parameters.md`, added env-var mapping tables, and linked the page from Advisory AI architecture so guild owners can trace DOCS-AIAI-31-006 to Sprint 111.
 DOCS-AIAI-31-008 | BLOCKED (2025-11-03) | Publish `/docs/sbom/remediation-heuristics.md` (feasibility scoring, blast radius). Dependencies: SBOM-AIAI-31-001. | Docs Guild, SBOM Service Guild (docs)
 DOCS-AIAI-31-009 | BLOCKED (2025-11-03) | Create `/docs/runbooks/assistant-ops.md` for warmup, cache priming, model outages, scaling. Dependencies: DEVOPS-AIAI-31-001. | Docs Guild, DevOps Guild (docs)
-SBOM-AIAI-31-003 | TODO (2025-11-03) | Publish the Advisory AI hand-off kit for `/v1/sbom/context`, share base URL/API key + tenant header contract, and run a joint end-to-end retrieval smoke test with Advisory AI. Dependencies: SBOM-AIAI-31-001. | SBOM Service Guild, Advisory AI Guild (src/SbomService/StellaOps.SbomService)
+SBOM-AIAI-31-003 | BLOCKED (2025-11-16) | Publish the Advisory AI hand-off kit for `/v1/sbom/context`, share base URL/API key + tenant header contract, and run a joint end-to-end retrieval smoke test with Advisory AI. Dependencies: SBOM-AIAI-31-001 (not yet delivered). | SBOM Service Guild, Advisory AI Guild (src/SbomService/StellaOps.SbomService)
-AIAI-31-008 | TODO | Package inference on-prem container, remote inference toggle, Helm/Compose manifests, scaling guidance, offline kit instructions. Dependencies: AIAI-31-006..007. | Advisory AI Guild, DevOps Guild (src/AdvisoryAI/StellaOps.AdvisoryAI)
+AIAI-31-008 | BLOCKED (2025-11-16) | Package inference on-prem container, remote inference toggle, Helm/Compose manifests, scaling guidance, offline kit instructions. Dependencies: AIAI-31-006..007 (done) plus DEVOPS-AIAI-31-001 runbook. | Advisory AI Guild, DevOps Guild (src/AdvisoryAI/StellaOps.AdvisoryAI)
 AIAI-31-009 | DONE (2025-11-12) | Develop unit/golden/property/perf tests, injection harness, and regression suite; ensure determinism with seeded caches. Dependencies: AIAI-31-001..006. | Advisory AI Guild, QA Guild (src/AdvisoryAI/StellaOps.AdvisoryAI) |
 > 2025-11-03: WebService/Worker scaffolds created with in-memory cache/queue, minimal APIs (`/api/v1/advisory/plan`, `/api/v1/advisory/queue`), metrics counters, and plan cache instrumentation; worker processes queue using orchestrator.
 > 2025-11-16: SBOM-AIAI-31-003 marked BLOCKED pending SBOM-AIAI-31-001 projection kit + smoke plan.
 > 2025-11-16: AIAI-31-008 marked BLOCKED pending DEVOPS-AIAI-31-001 runbook for on-prem/remote packaging.
 > 2025-11-04: SBOM base address now flows via `SbomContextClientOptions.BaseAddress`, worker emits queue/plan metrics, and orchestrator cache keys expanded to cover SBOM hash inputs.
-DOCS-AIAI-31-004 | DOING (2025-11-07) | Create `/docs/advisory-ai/console.md` with screenshots, a11y notes, copy-as-ticket instructions. Dependencies: CONSOLE-VULN-29-001, CONSOLE-VEX-30-001, EXCITITOR-CONSOLE-23-001. | Docs Guild, Console Guild (docs)
+DOCS-AIAI-31-004 | BLOCKED (2025-11-16) | Create `/docs/advisory-ai/console.md` with screenshots, a11y notes, copy-as-ticket instructions. Dependencies: CONSOLE-VULN-29-001, CONSOLE-VEX-30-001, EXCITITOR-CONSOLE-23-001 (not yet delivered). | Docs Guild, Console Guild (docs)
 > 2025-11-07: Draft doc committed (`docs/advisory-ai/console.md`) with workflow outline; screenshots will be added once CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001 ship.
 > 2025-11-16: DOCS-AIAI-31-004 marked BLOCKED; console widgets and Excititor feed endpoints still pending, cannot capture final screenshots/flows.
 > 2025-11-08: Console endpoints are staffed (CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001 DOING); still waiting on EXCITITOR-CONSOLE-23-001 feeds before capturing screenshots/tests.
 > 2025-11-09: Guardrail/inference sections and offline playbooks documented; screenshot placeholders remain open.
 DOCS-AIAI-31-005 | BLOCKED (2025-11-03) | Publish `/docs/advisory-ai/cli.md` covering commands, exit codes, scripting patterns. Dependencies: CLI-VULN-29-001, CLI-VEX-30-001, AIAI-31-004C. | Docs Guild, DevEx/CLI Guild (docs)
--- a/docs/implplan/SPRINT_112_concelier_i.md
+++ b/docs/implplan/SPRINT_112_concelier_i.md
@@ -1,99 +0,0 @@
 # Sprint 112 · Concelier.I — Canonical Evidence & Provenance (Rebaseline 2025-11-13)
 Phase 110.B keeps Concelier focused on ingestion fidelity and evidence APIs. All active work here assumes Advisory AI consumes *canonical* advisory documents (no merge transforms) and that every field we emit carries exact provenance anchors.
 ## Canonical Model Commitments
 - **Single source of truth:** `/advisories/{key}/chunks` must render from the canonical `Advisory` aggregate (document id + latest observation set), never from derived cache copies.
 - **Provenance anchors:** Each structured field cites both the Mongo `_id` of the backing observation document and the JSON Pointer into that observation (`observationPath`). This mirrors how GHSA’s GraphQL `securityAdvisory.references` and Cisco PSIRT’s `openVuln` feeds expose source handles, so downstream tooling can reconcile fields deterministically.
 - **Deterministic ordering:** Sort structured entries by `(fieldType, observationPath, sourceId)` to keep cache keys and telemetry stable across nodes. We are keeping this policy “as-is” for now to avoid churn in Advisory AI prompts.
 - **External parity:** Continue mapping fields named in competitor docs (GitHub Security Advisory GraphQL, Red Hat CVE data API, Cisco PSIRT openVuln) so migrations remain predictable.
 ## Workstream A — Advisory AI Structured Fields (AIAI-31)
 Task ID | State | Exit criteria | Owners
 --- | --- | --- | ---
 CONCELIER-AIAI-31-002 `Structured fields` | DOING | 1) Program.cs endpoint fully rewritten to resolve the canonical advisory (via `IAdvisoryStore`/`IAliasStore`) and issue structured field entries. 2) Cache key = `tenant + AdvisoryFingerprint`. 3) Responses contain `{chunkId, fingerprint, entries[], provenance.documentId, provenance.observationPath}` with deterministic ordering. 4) Tests updated (`StatementProvenanceEndpointAttachesMetadata`, new structured chunk fixture) and Mongo2Go coverage passes. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
 CONCELIER-AIAI-31-003 `Advisory AI telemetry` | DONE (2025-11-12) | OTEL counters (`advisory_ai_chunk_requests_total`, `advisory_ai_chunk_cache_hits_total`, `advisory_ai_guardrail_blocks_total`) tagged with tenant/result/cache. Nothing further planned unless guardrail policy changes. | Concelier WebService Guild · Observability Guild
 ### Implementation checklist (kept inline until CONCELIER-AIAI-31-002 ships)
 1. Add `ResolveAdvisoryAsync` helper with alias fallback + tenant guard.
 2. Update `AdvisoryChunkCacheKey` to include `AdvisoryFingerprint`.
 3. Rewrite `/advisories/{key}/chunks` handler to call the structured builder and emit provenance anchors.
 4. Refresh telemetry tests to assert `Response.Entries.Count`.
 5. Extend docs (`docs/provenance/inline-dsse.md` + Advisory AI API reference) with the structured schema mirroring GHSA / Cisco references.
 ## Workstream B — Mirror & Offline Provenance (AIRGAP-56/57/58)
 Task ID | State | Exit criteria / notes | Owners
 --- | --- | --- | ---
 CONCELIER-AIRGAP-56-001 `Mirror ingestion adapters` | TODO | Implement read paths for Offline Kit bundles, persist `bundleId`, `merkleRoot`, and maintain append-only ledger comparisons. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-AIRGAP-56-002 `Bundle catalog linking` | TODO | Every observation/linkset stores `{bundleId, merkleRoot, observationPath}` so exported evidence can cite provenance exactly once; depends on 56-001. | Concelier Core Guild · AirGap Importer Guild
 CONCELIER-AIRGAP-57-001 `Sealed-mode source restrictions` | TODO | Feature flag + policy that rejects non-mirror connectors with actionable diagnostics; depends on 56-001. | Concelier Core Guild · AirGap Policy Guild
 CONCELIER-AIRGAP-57-002 `Staleness annotations` | TODO | Compute `fetchedAt/publishedAt/clockSource` deltas per bundle and expose via observation APIs without mutating evidence; depends on 56-002. | Concelier Core Guild · AirGap Time Guild
 CONCELIER-AIRGAP-58-001 `Portable advisory evidence` | TODO | Package advisory observations/linksets + provenance notes (document id + observationPath) into timeline-bound portable bundles with verifier instructions; depends on 57-002. | Concelier Core Guild · Evidence Locker Guild
 ## Workstream C — Transparency & Attestor (ATTEST-73)
 Task ID | State | Exit criteria / notes | Owners
 --- | --- | --- | ---
 CONCELIER-ATTEST-73-001 `ScanResults attestation inputs` | TODO | Emit `{observationDigest, linksetDigest, documentId}` pairs required by Attestor so DSSE bundles include the same provenance anchors Advisory AI emits. | Concelier Core Guild · Attestor Service Guild
 CONCELIER-ATTEST-73-002 `Transparency metadata` | TODO | Read APIs expose `bundleId`, Rekor references, and observation paths for external transparency explorers; depends on 73-001. | Concelier Core Guild
 ## Workstream D — Console & Search Surfaces (CONSOLE-23)
 Task ID | State | Exit criteria / notes | Owners
 --- | --- | --- | ---
 CONCELIER-CONSOLE-23-001 `Advisory aggregation views` | TODO | `/console/advisories` returns grouped linksets with per-source severity/status chips plus `{documentId, observationPath}` provenance references (matching GHSA + Red Hat CVE browser expectations); depends on CONCELIER-LNM-21-201/202. | Concelier WebService Guild · BE-Base Platform Guild
 CONCELIER-CONSOLE-23-002 `Dashboard deltas API` | TODO | Deterministic “new/modified/conflicting” sets referencing linkset IDs and field paths rather than computed verdicts; depends on 23-001. | Concelier WebService Guild
 CONCELIER-CONSOLE-23-003 `Search fan-out helpers` | TODO | CVE/GHSA/PURL lookups return observation excerpts, provenance anchors, and cache hints so tenants can preview evidence safely; reuse structured field taxonomy from Workstream A. | Concelier WebService Guild
 ## Workstream E — Tenant Scope & AOC Guardrails
 Task ID | State | Exit criteria / notes | Owners
 --- | --- | --- | ---
 CONCELIER-CORE-AOC-19-013 `Authority tenant scope smoke coverage` | TODO | Expand smoke/e2e suites so Authority tokens + tenant headers are mandatory for ingest/read paths (including the new provenance endpoint). Must assert no merge-side effects and that provenance anchors always round-trip. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 ## Recent Updates
 - 2025-11-12: CONCELIER-AIAI-31-003 shipped OTEL counters for Advisory AI chunk traffic; dashboards now display cache hit ratios and guardrail blocks per tenant.
 - 2025-11-13: Sprint rebaseline complete; structured field scope locked to canonical model + provenance anchors, matching competitor schemas for short-term parity.
 ## Current status (2025-11-13)
 | Workstream | State | Notes |
 | --- | --- | --- |
 | A – Advisory AI structured fields | 🔶 DOING | CONCELIER-AIAI-31-002 code work in progress; schema locked, telemetry landed, release blocked on Link-Not-Merge + CARTO schemas. |
 | B – Mirror & offline provenance | 🔴 BLOCKED | No work can start until MIRROR-CRT-56-001 staffing and Offline Kit bundle contracts finalize. |
 | C – Transparency & Attestor | 🔴 BLOCKED | Waiting on Workstream A output plus attestation backlog sequencing (Sprint 110/Excititor). |
 | D – Console & search surfaces | 🔶 WATCHING | Scoped but dependencies on Link-Not-Merge + Console backlog; preparing schema docs in parallel. |
 | E – Tenant scope & AOC guardrails | 🔶 WATCHING | Requires Authority smoke coverage; no active engineering yet but tests ready to clone once structured endpoint stabilizes. |
 ## Blockers & dependencies
 | Dependency | Impacted work | Owner(s) | Status |
 | --- | --- | --- | --- |
 | Link-Not-Merge schema (`CONCELIER-LNM-21-*`, `CARTO-GRAPH-21-002`) | Workstream A release, Workstream D APIs | Concelier Core · Cartographer Guild · Platform Events Guild | Review scheduled 2025-11-14; approval required before shipping structured fields/console APIs. |
 | MIRROR-CRT-56-001 staffing | Workstream B (AIRGAP-56/57/58) | Mirror Creator Guild · Exporter Guild · AirGap Time Guild | Owner not assigned (per Sprint 110); kickoff on 2025-11-15 must resolve. |
 | Evidence Locker attestation contract | Workstream C (ATTEST-73) | Evidence Locker Guild · Concelier Core | Needs alignment with Excititor attestation plan on 2025-11-15. |
 | Authority scope smoke coverage (`CONCELIER-CORE-AOC-19-013`) | Workstream E | Concelier Core · Authority Guild | Waiting on structured endpoint readiness + AUTH-SIG-26-001 validation. |
 ## Next actions (target: 2025-11-16)
 | Workstream | Owner(s) | Action | Status |
 | --- | --- | --- | --- |
 | A | Concelier WebService Guild | Finish `ResolveAdvisoryAsync`, cache key update, and structured response builder; prep PR for review once schema approved. | In progress |
 | A | Docs Guild | Draft structured field schema appendix referencing provenance anchors for Advisory AI docs. | Pending |
 | B | Concelier Core + Mirror leadership | Join 2025-11-15 kickoff, capture MIRROR-CRT-56-001 owner, and align bundle metadata contract. | Pending |
 | C | Concelier Core + Evidence Locker | Produce attestation payload outline so ATTEST-73-001 can start immediately after sequencing meeting. | Pending |
 | D | Concelier WebService Guild | Prepare `/console/advisories` API spec (field list, provenance references) so implementation can begin once Link-Not-Merge clears. | Drafting |
 | E | Concelier Core | Clone Authority smoke suites to cover new structured endpoint once Workstream A enters review. | Pending |
 ## Standup prompts
 1. Has Link-Not-Merge schema review resolved all blocking comments? If not, what fields remain at risk?
 2. Who will own MIRROR-CRT-56-001 after the 2025-11-15 kickoff, and do we have staffing for follow-on AIRGAP tasks?
 3. Did Evidence Locker accept the attestation contract draft, enabling ATTEST-73-001 to move forward?
 4. Are Authority/AOC smoke tests ready to clone once structured fields release, or do we need additional scope from AUTH-SIG-26-001?
 ## Risks (snapshot 2025-11-13)
 | Risk | Impact | Mitigation / owner |
 | --- | --- | --- |
 | Link-Not-Merge schema slips past 2025-11-14 | Structured fields + console APIs stay unreleased, blocking Advisory AI and Console surfaces. | Push for schema sign-off during 2025-11-14 review; prep fallback adapter if necessary. |
 | Mirror staffing unresolved | AirGap provenance work (AIRGAP-56/57/58) cannot start, delaying Offline Kit parity. | Escalate at 2025-11-15 kickoff; consider borrowing engineers from Evidence Locker or Export guilds. |
 | Evidence Locker contract delay | ATTEST-73 work cannot begin, leaving Advisory AI without attested provenance. | Align with Excititor/Evidence Locker owners during 2025-11-15 sequencing session; draft interim spec. |
 | Authority smoke coverage gap | AOC guardrails may regress when structured endpoint ships. | Schedule paired testing with Authority guild once Workstream A PR is ready. |
--- a/docs/implplan/SPRINT_113_concelier_ii.md
+++ b/docs/implplan/SPRINT_113_concelier_ii.md
@@ -1,24 +0,0 @@
 # Sprint 113 - Ingestion & Evidence · 110.B) Concelier.II
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
 [Ingestion & Evidence] 110.B) Concelier.II
 Depends on: Sprint 110.B - Concelier.I
 Summary: Ingestion & Evidence focus on Concelier (phase II).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
 CONCELIER-GRAPH-21-001 `SBOM projection enrichment` | BLOCKED (2025-10-27) | Extend SBOM normalization so every relationship (depends_on, contains, provides) and scope tag is captured as raw observation metadata with provenance pointers; Cartographer can then join SBOM + advisory facts without Concelier inferring impact. | Concelier Core Guild, Cartographer Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-GRAPH-21-002 `Change events` | BLOCKED (2025-10-27) | Publish `sbom.observation.updated` events whenever new SBOM versions arrive, including tenant/context metadata and advisory references—never send judgments, only facts. Depends on CONCELIER-GRAPH-21-001. | Concelier Core Guild, Scheduler Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-GRAPH-24-101 `Advisory summary API` | TODO | Provide `/advisories/summary` responses that bundle observation/linkset metadata (aliases, confidence, conflicts) for graph overlays while keeping upstream values intact. Depends on CONCELIER-GRAPH-21-002. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
 CONCELIER-GRAPH-28-102 `Evidence batch API` | TODO | Add batch fetch endpoints keyed by component sets so graph tooltips can pull raw observations/linksets efficiently; include provenance + timestamps but no derived severity. Depends on CONCELIER-GRAPH-24-101. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
 CONCELIER-LNM-21-001 `Advisory observation schema` | TODO | Define the immutable `advisory_observations` model (per-source fields, version ranges, severity text, provenance metadata, tenant guards) so every ingestion path records raw statements without merge artifacts. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-LNM-21-002 `Linkset builder` | TODO | Implement correlation pipelines (alias graph, purl overlap, CVSS vector compare) that output linksets with confidence scores + conflict markers, never collapsing conflicting facts into single values. Depends on CONCELIER-LNM-21-001. | Concelier Core Guild, Data Science Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-LNM-21-003 `Conflict annotator` | TODO | Record disagreements (severity, CVSS, references) on linksets as structured conflict entries so consumers can reason about divergence without Concelier resolving it. Depends on CONCELIER-LNM-21-002. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-LNM-21-004 `Merge code removal` | TODO | Delete legacy merge/dedup logic, add guardrails/tests to keep ingestion append-only, and document how linksets supersede the old merge outputs. Depends on CONCELIER-LNM-21-003. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-LNM-21-005 `Event emission` | TODO | Emit `advisory.linkset.updated` events containing delta descriptions + observation ids so downstream evaluators can subscribe deterministically. Depends on CONCELIER-LNM-21-004. | Concelier Core Guild, Platform Events Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-LNM-21-101 `Observations collections` | TODO | Provision the Mongo collections (`advisory_observations`, `advisory_linksets`) with hashed shard keys, tenant indexes, and TTL for ingest metadata to support Link-Not-Merge at scale. Depends on CONCELIER-LNM-21-005. | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo)
 CONCELIER-LNM-21-102 `Migration tooling` | TODO | Backfill legacy merged advisories into the new observation/linkset collections, seed tombstones for deprecated docs, and provide rollback tooling for Offline Kit operators. Depends on CONCELIER-LNM-21-101. | Concelier Storage Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo)
 CONCELIER-LNM-21-103 `Blob/store wiring` | TODO | Move large raw payloads to object storage with deterministic pointers, update bootstrapper/offline kit seeds, and guarantee provenance metadata remains intact. Depends on CONCELIER-LNM-21-102. | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo)
 CONCELIER-LNM-21-201 `Observation APIs` | TODO | Add `/advisories/observations` with filters for alias/purl/source plus strict tenant scopes; responses must only echo upstream values + provenance fields. Depends on CONCELIER-LNM-21-103. | Concelier WebService Guild, BE-Base Platform Guild (src/Concelier/StellaOps.Concelier.WebService)
 CONCELIER-LNM-21-202 `Linkset APIs` | TODO | Implement `/advisories/linksets`/`export`/`evidence` endpoints surfacing correlation + conflict payloads and `ERR_AGG_*` error mapping, never exposing synthesis/merge results. Depends on CONCELIER-LNM-21-201. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
 CONCELIER-LNM-21-203 `Ingest events` | TODO | Publish idempotent NATS/Redis events for new observations/linksets with schemas documented for downstream consumers; include tenant + provenance references only. Depends on CONCELIER-LNM-21-202. | Concelier WebService Guild, Platform Events Guild (src/Concelier/StellaOps.Concelier.WebService)
--- a/docs/implplan/SPRINT_114_concelier_iii.md
+++ b/docs/implplan/SPRINT_114_concelier_iii.md
@@ -1,23 +0,0 @@
 # Sprint 114 - Ingestion & Evidence · 110.B) Concelier.III
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
 [Ingestion & Evidence] 110.B) Concelier.III
 Depends on: Sprint 110.B - Concelier.II
 Summary: Ingestion & Evidence focus on Concelier (phase III).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
 CONCELIER-OAS-61-001 `Spec coverage` | TODO | Update the OpenAPI spec so every observation/linkset/timeline endpoint documents provenance fields, tenant scopes, and AOC guarantees (no consensus fields), giving downstream SDKs unambiguous contracts. | Concelier Core Guild, API Contracts Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-OAS-61-002 `Examples library` | TODO | Provide realistic examples (conflict linksets, multi-source severity, timeline snippets) showing how raw advisories are surfaced without merges; wire them into docs/SDKs. Depends on CONCELIER-OAS-61-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-OAS-62-001 `SDK smoke tests` | TODO | Add SDK scenarios covering advisory search, pagination, and conflict handling to ensure each language client preserves provenance fields and does not infer verdicts. Depends on CONCELIER-OAS-61-002. | Concelier Core Guild, SDK Generator Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-OAS-63-001 `Deprecation headers` | TODO | Implement Sunset/Deprecation headers + timeline notices for legacy endpoints being retired, keeping operators informed while discouraging use of merge-era APIs. Depends on CONCELIER-OAS-62-001. | Concelier Core Guild, API Governance Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-OBS-51-001 `Metrics & SLOs` | TODO | Emit ingestion latency, queue depth, and AOC violation metrics with burn-rate alerts so we can prove the evidence pipeline remains healthy without resorting to heuristics. | Concelier Core Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-OBS-52-001 `Timeline events` | TODO | Produce timeline records for ingest/normalization/linkset updates containing trace IDs, conflict summaries, and evidence hashes—pure facts for downstream replay. Depends on CONCELIER-OBS-51-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-OBS-53-001 `Evidence snapshots` | TODO | Generate evidence locker bundles (raw doc, normalization diff, linkset) with Merkle manifests so audits can replay advisory history without touching live Mongo. Depends on CONCELIER-OBS-52-001. | Concelier Core Guild, Evidence Locker Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-OBS-54-001 `Attestation & verification` | TODO | Attach DSSE attestations to advisory batches, expose verification APIs, and link attestation IDs into timeline + ledger for transparency. Depends on CONCELIER-OBS-53-001. | Concelier Core Guild, Provenance Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-OBS-55-001 `Incident mode hooks` | TODO | Implement incident-mode levers (extra sampling, retention overrides, redaction guards) that collect more raw evidence without mutating advisory content. Depends on CONCELIER-OBS-54-001. | Concelier Core Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-ORCH-32-001 `Source registry integration` | TODO | Register every advisory connector with the orchestrator (metadata, auth scopes, rate policies) so ingest scheduling is transparent and reproducible. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-ORCH-32-002 `Worker SDK adoption` | TODO | Adopt the orchestrator worker SDK in ingestion loops, emitting heartbeats/progress/artifact hashes to guarantee deterministic replays. Depends on CONCELIER-ORCH-32-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-ORCH-33-001 `Control hook compliance` | TODO | Honor orchestrator pause/throttle/retry controls with structured error outputs and persisted checkpoints so operators can intervene without losing evidence. Depends on CONCELIER-ORCH-32-002. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-ORCH-34-001 `Backfill + ledger linkage` | TODO | Execute orchestrator-driven backfills that reuse artifact hashes/signatures, log provenance, and push run metadata to the ledger for audits. Depends on CONCELIER-ORCH-33-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-POLICY-20-001 `Policy selection endpoints` | TODO | Provide batch advisory lookup APIs for Policy Engine (purl/advisory filters, tenant scopes, explain metadata) so policy can join raw evidence without Concelier suggesting outcomes. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
--- a/docs/implplan/SPRINT_115_concelier_iv.md
+++ b/docs/implplan/SPRINT_115_concelier_iv.md
@@ -1,22 +0,0 @@
 # Sprint 115 - Ingestion & Evidence · 110.B) Concelier.IV
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
 [Ingestion & Evidence] 110.B) Concelier.IV
 Depends on: Sprint 110.B - Concelier.III
 Summary: Ingestion & Evidence focus on Concelier (phase IV).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
 CONCELIER-POLICY-20-002 `Linkset enrichment for policy` | TODO | Expand linkset builders with vendor-specific equivalence tables, NEVRA/PURL normalization, and version-range parsing so policy joins become more accurate without Concelier prioritizing sources. Depends on CONCELIER-POLICY-20-001. | Concelier Core Guild, Policy Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-POLICY-20-003 `Selection cursors` | TODO | Introduce advisory selection cursors + change-stream checkpoints that let Policy Engine process deltas deterministically; include offline migration scripts. Depends on CONCELIER-POLICY-20-002. | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo)
 CONCELIER-POLICY-23-001 `Evidence indexes` | TODO | Add secondary indexes/materialized views (alias, provider severity, correlation confidence) so policy lookups stay fast without caching derived verdicts; document the supported query patterns. Depends on CONCELIER-POLICY-20-003. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-POLICY-23-002 `Event guarantees` | TODO | Ensure `advisory.linkset.updated` events ship with idempotent IDs, confidence summaries, and tenant metadata so policy consumers can replay evidence feeds safely. Depends on CONCELIER-POLICY-23-001. | Concelier Core Guild, Platform Events Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-RISK-66-001 `CVSS/KEV providers` | TODO | Surface vendor-provided CVSS/KEV/fix data exactly as published (with provenance anchors) through provider APIs so risk engines can reason about upstream intent. | Concelier Core Guild, Risk Engine Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-RISK-66-002 `Fix availability signals` | TODO | Emit structured fix-availability metadata per observation/linkset (release version, advisory link, evidence timestamp) without guessing exploitability. Depends on CONCELIER-RISK-66-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-RISK-67-001 `Source coverage metrics` | TODO | Publish per-source coverage/conflict metrics (counts, disagreements) so explainers can cite which upstream statements exist; no weighting is applied inside Concelier. Depends on CONCELIER-RISK-66-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-RISK-68-001 `Policy Studio integration` | TODO | Wire advisory signal pickers into Policy Studio so curators can select which raw advisory fields feed policy gating; validation must confirm fields are provenance-backed. Depends on POLICY-RISK-68-001. | Concelier Core Guild, Policy Studio Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-RISK-69-001 `Notification hooks` | TODO | Emit notifications when upstream advisory fields change (e.g., fix available) with observation IDs + provenance so Notifications service can alert without inferring severity. Depends on CONCELIER-RISK-66-002. | Concelier Core Guild, Notifications Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-SIG-26-001 `Vulnerable symbol exposure` | TODO | Expose upstream-provided affected symbol/function lists via APIs to help reachability scoring; maintain provenance and do not infer exploitability. Depends on SIGNALS-24-002. | Concelier Core Guild, Signals Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-STORE-AOC-19-005 `Raw linkset backfill` | TODO (2025-11-04) | Execute the raw-linkset backfill/rollback plan (`docs/dev/raw-linkset-backfill-plan.md`) so Mongo + Offline Kit bundles reflect Link-Not-Merge data; rehearse rollback. Depends on CONCELIER-CORE-AOC-19-004. | Concelier Storage Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo)
 CONCELIER-TEN-48-001 `Tenant-aware linking` | TODO | Enforce tenant scoping throughout normalization/linking, expose capability endpoint advertising `merge=false`, and ensure events include tenant IDs. Depends on AUTH-TEN-47-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core)
 CONCELIER-VEXLENS-30-001 `Advisory rationale bridges` | TODO | Guarantee advisory key consistency and cross-links consumed by VEX Lens so consensus explanations can cite Concelier evidence without requesting merges. Depends on CONCELIER-VULN-29-001, VEXLENS-30-005. | Concelier WebService Guild, VEX Lens Guild (src/Concelier/StellaOps.Concelier.WebService)
--- a/docs/implplan/SPRINT_116_concelier_v.md
+++ b/docs/implplan/SPRINT_116_concelier_v.md
@@ -1,24 +0,0 @@
 # Sprint 116 - Ingestion & Evidence · 110.B) Concelier.V
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
 [Ingestion & Evidence] 110.B) Concelier.V
 Depends on: Sprint 110.B - Concelier.IV
 Summary: Ingestion & Evidence focus on Concelier (phase V).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
 CONCELIER-VULN-29-004 `Observability enhancements` | TODO | Instrument observation/linkset pipelines with metrics for identifier collisions, withdrawn statements, and chunk latencies; stream them to Vuln Explorer without altering evidence payloads. Depends on CONCELIER-VULN-29-001. | Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService)
 CONCELIER-WEB-AIRGAP-56-001 `Mirror import APIs` | TODO | Extend ingestion endpoints to register mirror bundle sources, expose bundle catalogs, and enforce sealed-mode by blocking direct internet feeds. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
 CONCELIER-WEB-AIRGAP-56-002 `Airgap status surfaces` | TODO | Add staleness + bundle provenance metadata to `/advisories/observations` and `/advisories/linksets` so operators can see freshness without Excitior deriving outcomes. Depends on CONCELIER-WEB-AIRGAP-56-001. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
 CONCELIER-WEB-AIRGAP-57-001 `Error remediation` | TODO | Map sealed-mode violations to consistent `AIRGAP_EGRESS_BLOCKED` payloads that explain how to remediate, leaving advisory content untouched. Depends on CONCELIER-WEB-AIRGAP-56-002. | Concelier WebService Guild, AirGap Policy Guild (src/Concelier/StellaOps.Concelier.WebService)
 CONCELIER-WEB-AIRGAP-58-001 `Import timeline emission` | TODO | Emit timeline events for bundle imports (bundle ID, scope, actor) so audit trails capture every evidence change. Depends on CONCELIER-WEB-AIRGAP-57-001. | Concelier WebService Guild, AirGap Importer Guild (src/Concelier/StellaOps.Concelier.WebService)
 CONCELIER-WEB-AOC-19-003 `Schema/guard unit tests` | TODO | Add unit tests for schema validators, forbidden-field guards (`ERR_AOC_001/2/6/7`), and supersedes chains to keep ingestion append-only. Depends on CONCELIER-WEB-AOC-19-002. | QA Guild (src/Concelier/StellaOps.Concelier.WebService)
 CONCELIER-WEB-AOC-19-004 `End-to-end ingest verification` | TODO | Create integration tests that ingest large advisory batches (cold/warm), verify reproducible linksets, and record metrics/fixtures for Offline Kit rehearsals. Depends on CONCELIER-WEB-AOC-19-003. | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService)
 CONCELIER-WEB-AOC-19-005 `Chunk evidence regression` | TODO (2025-11-08) | Fix `/advisories/{key}/chunks` test data so pre-seeded raw docs resolve correctly; ensure Mongo migrations stop logging “Unable to locate advisory_raw documents” during tests. Depends on CONCELIER-WEB-AOC-19-002. | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService)
 CONCELIER-WEB-AOC-19-006 `Allowlist ingest auth parity` | TODO (2025-11-08) | Align default auth/tenant configs with the test fixtures so allowlisted tenants can ingest before forbidden tenants are rejected, closing the gap in `AdvisoryIngestEndpoint_RejectsTenantOutsideAllowlist`. Depends on CONCELIER-WEB-AOC-19-002. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
 CONCELIER-WEB-AOC-19-007 `AOC verify violation codes` | TODO (2025-11-08) | Update AOC verify logic so guard failures emit `ERR_AOC_001` (not `_004`) and keep mapper/guard parity covered by regression tests. Depends on CONCELIER-WEB-AOC-19-002. | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService)
 CONCELIER-WEB-OAS-61-002 `Error envelope migration` | TODO | Ensure every API returns the standardized error envelope and update controllers/tests accordingly (prereq for SDK/doc alignment). | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
 CONCELIER-WEB-OAS-62-001 `Examples expansion` | TODO | Publish curated examples for observations/linksets/conflicts and wire them into the developer portal. Depends on CONCELIER-WEB-OAS-61-002. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
 CONCELIER-WEB-OAS-63-001 `Deprecation headers` | TODO | Emit deprecation headers + notifications for retiring endpoints, steering clients toward Link-Not-Merge APIs. Depends on CONCELIER-WEB-OAS-62-001. | Concelier WebService Guild, API Governance Guild (src/Concelier/StellaOps.Concelier.WebService)
 CONCELIER-WEB-OBS-51-001 `Observability APIs` | TODO | Add `/obs/concelier/health` surfaces for ingest health, queue depth, and SLO status so Console widgets can display real-time evidence pipeline stats. Depends on CONCELIER-WEB-OBS-50-001. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
 CONCELIER-WEB-OBS-52-001 `Timeline streaming` | TODO | Provide SSE stream `/obs/concelier/timeline` with paging tokens, guardrails, and audit logging so operators can monitor evidence changes live. Depends on CONCELIER-WEB-OBS-51-001. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
--- a/docs/implplan/SPRINT_117_concelier_vi.md
+++ b/docs/implplan/SPRINT_117_concelier_vi.md
@@ -1,16 +0,0 @@
 # Sprint 117 - Ingestion & Evidence · 110.B) Concelier.VI
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
 [Ingestion & Evidence] 110.B) Concelier.VI
 Depends on: Sprint 110.B - Concelier.V
 Summary: Ingestion & Evidence focus on Concelier (phase VI).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
 CONCELIER-WEB-OBS-53-001 `Evidence locker integration` | TODO | Add `/evidence/advisories/*` routes that proxy evidence locker snapshots, verify `evidence:read` scopes, and return signed manifest metadata—no shortcut paths into raw storage. Depends on CONCELIER-WEB-OBS-52-001. | Concelier WebService Guild, Evidence Locker Guild (src/Concelier/StellaOps.Concelier.WebService)
 CONCELIER-WEB-OBS-54-001 `Attestation exposure` | TODO | Provide `/attestations/advisories/*` endpoints surfacing DSSE status, verification summary, and provenance chain so CLI/Console can audit trust without hitting databases. Depends on CONCELIER-WEB-OBS-53-001. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService)
 CONCELIER-WEB-OBS-55-001 `Incident mode toggles` | TODO | Implement incident-mode APIs that coordinate ingest, locker, and orchestrator, capturing activation events + cooldown semantics but leaving evidence untouched. Depends on CONCELIER-WEB-OBS-54-001. | Concelier WebService Guild, DevOps Guild (src/Concelier/StellaOps.Concelier.WebService)
 FEEDCONN-CCCS-02-009 `Version range provenance (Oct 2025)` | TODO | Emit CCCS version ranges into `advisory_observations.affected.versions[]` with provenance anchors (`cccs:{serial}:{index}`) and normalized comparison keys per the Link-Not-Merge schema/doc recipes. Depends on CONCELIER-LNM-21-001. | Concelier Connector Guild – CCCS (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs)
 FEEDCONN-CERTBUND-02-010 `Version range provenance` | TODO | Translate CERT-Bund `product.Versions` phrases into normalized ranges + provenance identifiers (`certbund:{advisoryId}:{vendor}`) while retaining localisation notes; update mapper/tests for Link-Not-Merge. Depends on CONCELIER-LNM-21-001. | Concelier Connector Guild – CertBund (src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund)
 FEEDCONN-CISCO-02-009 `SemVer range provenance` | DOING (2025-11-08) | Emit Cisco SemVer ranges into the new observation schema with provenance IDs (`cisco:{productId}`) and deterministic comparison keys; refresh fixtures to remove merge counters. Depends on CONCELIER-LNM-21-001. | Concelier Connector Guild – Cisco (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco)
 DOCS-LNM-22-008 `No-merge migration doc` | DONE (2025-11-03) | Documented Link-Not-Merge migration plan in `docs/migration/no-merge.md`; keep synced with ongoing tasks. | Docs Guild, DevOps Guild (docs)
--- a/docs/implplan/SPRINT_119_excititor_i.md
+++ b/docs/implplan/SPRINT_119_excititor_i.md
@@ -1,102 +0,0 @@
 # Sprint 119 - Ingestion & Evidence · 110.C) Excititor.I
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
 [Ingestion & Evidence] 110.C) Excititor.I
 Depends on: Sprint 100.A - Attestor
 Summary: Ingestion & Evidence focus on Excititor (phase I).
 > **Prep:** Read `docs/modules/excititor/architecture.md` and the relevant Excititor `AGENTS.md` files (per component directory) before working any tasks below; this preserves the guidance that previously lived in the component boards.
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
 EXCITITOR-AIAI-31-001 `Justification enrichment` | DONE (2025-11-12) | Expose normalized VEX justifications, product scope trees, and paragraph/JSON-pointer anchors via `VexObservation` projections so Advisory AI can cite raw evidence without invoking any consensus logic. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService)
 EXCITITOR-AIAI-31-002 `VEX chunk API` | TODO | Ship `/vex/evidence/chunks` with tenant/policy filters that streams raw statements, signature metadata, and scope scores for Retrieval-Augmented Generation clients; response must stay aggregation-only and reference observation/linkset IDs. Depends on EXCITITOR-AIAI-31-001. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService)
 EXCITITOR-AIAI-31-003 `Telemetry & guardrails` | IN REVIEW (2025-11-13) | Instrument the new evidence APIs with request counters, chunk sizes, signature verification failure meters, and AOC guard violations so Lens/Advisory AI teams can detect misuse quickly. Depends on EXCITITOR-AIAI-31-002. | Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService)
 EXCITITOR-AIAI-31-004 `Schema & docs alignment` | TODO | Update OpenAPI/SDK/docs to codify the Advisory-AI evidence contract (fields, determinism guarantees, pagination) and describe how consumers map observation IDs back to raw storage. | Excititor WebService Guild, Docs Guild (src/Excititor/StellaOps.Excititor.WebService)
 EXCITITOR-AIRGAP-56-001 `Mirror-first ingestion` | TODO | Wire mirror bundle ingestion paths that preserve upstream digests, bundle IDs, and provenance metadata exactly so offline Advisory-AI/Lens deployments can replay evidence with AOC parity. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
 EXCITITOR-AIRGAP-57-001 `Sealed-mode enforcement` | TODO | Enforce sealed-mode policies that disable external connectors, emit actionable remediation errors, and record staleness annotations that Advisory AI can surface as “evidence freshness” signals. Depends on EXCITITOR-AIRGAP-56-001. | Excititor Core Guild, AirGap Policy Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
 EXCITITOR-AIRGAP-58-001 `Portable evidence bundles` | TODO | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events so Advisory AI can hydrate contexts in sealed environments. Depends on EXCITITOR-AIRGAP-57-001. | Excititor Core Guild, Evidence Locker Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
 EXCITITOR-ATTEST-01-003 `Verification suite & observability` | TODO (2025-11-06) | Finish `IVexAttestationVerifier`, wire structured diagnostics/metrics, and prove we can verify DSSE bundles for every evidence batch without touching consensus results (see `EXCITITOR-ATTEST-01-003-plan.md`). | Excititor Attestation Guild (src/Excititor/__Libraries/StellaOps.Excititor.Attestation)
 EXCITITOR-ATTEST-73-001 `VEX attestation payloads` | TODO | Emit attestation payloads that capture supplier identity, justification summary, and scope metadata so downstream Lens/Policy jobs can chain trust without Excititor interpreting the evidence. Depends on EXCITITOR-ATTEST-01-003. | Excititor Core Guild, Attestation Payloads Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
 EXCITITOR-ATTEST-73-002 `Chain provenance` | TODO | Provide APIs that link attestation IDs back to observation/linkset/product tuples, enabling Advisory AI to cite provenance without any derived verdict. Depends on EXCITITOR-ATTEST-73-001. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
 EXCITITOR-CONN-TRUST-01-001 `Connector provenance parity` | TODO | Update MSRC, Oracle, Ubuntu, and Stella mirror connectors to emit signer fingerprints, issuer tiers, and bundle references while remaining aggregation-only; document how Lens consumers should interpret these hints. | Excititor Connectors Guild (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.*)
 ## Task clusters & readiness
 ### Advisory-AI evidence APIs
 - **Delivered:** `EXCITITOR-AIAI-31-001` (`/v1/vex/observations/{vulnerabilityId}/{productKey}` projection API) landed 2025-11-12 with normalized justifications and anchors.
 - **In flight:** `EXCITITOR-AIAI-31-003` (instrumentation + guardrails) and `EXCITITOR-AIAI-31-004` (OpenAPI/SDK/docs alignment).
 - **Dependencies:** Needs `EXCITITOR-AIAI-31-002` (projection service plumbing) — confirmed completed via architecture doc; observability pipeline requires Ops dashboards.
 - **Ready-to-start checklist:** finalize request/response examples in OpenAPI, add replayable telemetry fixtures, and attach Advisory-AI contract summary to this sprint doc.
 ### AirGap ingestion & portable bundles
 - **Scope:** `EXCITITOR-AIRGAP-56/57/58` (mirror-first ingestion, sealed-mode enforcement, portable evidence bundles).
 - **Dependencies:** relies on Attestor DSSE verification (Sprint 100.A) and AirGap policy toggles; Evidence Locker partnership needed for portable bundle format.
 - **Ready-to-start checklist:**
  1. Secure mirror bundle schema from Export Center (Sprint 162) and attach sample manifests.
  2. Document sealed-mode error catalog + diagnostics surfaced to Advisory AI/Lens during offline enforcement.
  3. Define bundle manifest → timeline ID mapping for Advisory AI, referencing Export Center + TimelineIndexer contracts.
 ### Attestation & provenance chain
 - **Tasks:** `EXCITITOR-ATTEST-01-003`, `EXCITITOR-ATTEST-73-001`, `EXCITITOR-ATTEST-73-002`.
 - **Dependencies:** Attestor service readiness (Sprint 100.A) plus DSSE payload contract; requires `IVexAttestationVerifier` plan doc referenced in repo.
 - **Ready-to-start checklist:**
  1. Finish verifier test harness & deterministic diagnostics.
  2. Capture sample attestation payload spec (supplier identity, justification summary, scope metadata) and attach here.
  3. Describe provenance linkage for `/v1/vex/attestations/{id}` + observation/linkset/product tuples in docs.
 ### Connector provenance parity
 - **Task:** `EXCITITOR-CONN-TRUST-01-001` (MSRC/Oracle/Ubuntu/Stella connectors).
 - **Dependencies:** Source feeds must already emit signer metadata; align with AOC aggregator guardrails; ensure docs outline how Lens consumes trust hints.
 - **Ready-to-start checklist:**
  1. Inventory current connector coverage + signer metadata availability.
  2. Define signer fingerprint + issuer tier schema shared across connectors (document in module README).
  3. Update acceptance tests under `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.*` to assert provenance payload.
 ## Dependencies & blockers
 - Attestor DSSE verification (`EXCITITOR-ATTEST-01-003`, Sprint 100.A) gates `EXCITITOR-ATTEST-73-001/002` and portable bundles.
 - Export Center mirror bundle schema (Sprint 162) and EvidenceLocker portable bundle format (Sprint 160/161) must land before `EXCITITOR-AIRGAP-56/58` can proceed; target sync 2025-11-15.
 - Observability stack (Ops/Signals wave) must expose span/metric sinks before `EXCITITOR-AIAI-31-003` instrumentation merges; waiting on Ops telemetry MR.
 - Security review pending for connector provenance fingerprints to ensure no secrets leak in aggregation-only mode; Docs/Security review scheduled 2025-11-18.
 ## Documentation references
 - `docs/modules/excititor/architecture.md` — authoritative data model, APIs, and guardrails for Excititor.
 - `docs/modules/excititor/README.md#latest-updates` — consensus beta + Advisory-AI integration context.
 - `docs/modules/excititor/mirrors.md` — AirGap/mirror ingestion checklist referenced by `EXCITITOR-AIRGAP-56/57`.
 - `docs/modules/excititor/operations/*` — observability + sealed-mode runbooks feeding `EXCITITOR-AIAI-31-003` instrumentation requirements.
 - `docs/modules/excititor/implementation_plan.md` — per-module workstream alignment table (mirrors Sprint 200 documentation process).
 ## Action tracker
 | Focus | Action | Owner(s) | Due | Status |
 | --- | --- | --- | --- | --- |
 | Advisory-AI APIs | Publish finalized OpenAPI schema + SDK notes for projection API (`EXCITITOR-AIAI-31-004`). | Excititor WebService Guild · Docs Guild | 2025-11-15 | In review (draft shared 2025-11-13) |
 | Observability | Wire metrics/traces for `/v1/vex/observations/**` and document dashboards (`EXCITITOR-AIAI-31-003`). | Excititor WebService Guild · Observability Guild | 2025-11-16 | Blocked (code + ops runbook ready; waiting on Ops span sink deploy) |
 | AirGap | Capture mirror bundle schema + sealed-mode toggle requirements for `EXCITITOR-AIRGAP-56/57`. | Excititor Core Guild · AirGap Policy Guild | 2025-11-17 | Pending |
 | Portable bundles | Draft bundle manifest + EvidenceLocker linkage notes for `EXCITITOR-AIRGAP-58-001`. | Excititor Core Guild · Evidence Locker Guild | 2025-11-18 | Pending |
 | Attestation | Complete verifier suite + diagnostics for `EXCITITOR-ATTEST-01-003`. | Excititor Attestation Guild | 2025-11-16 | In progress (verifier harness 80% complete) |
 | Connectors | Inventory signer metadata + plan rollout for MSRC/Oracle/Ubuntu/Stella connectors (`EXCITITOR-CONN-TRUST-01-001`). | Excititor Connectors Guild | 2025-11-19 | Pending (schema draft expected 2025-11-14) |
 ## Upcoming checkpoints (UTC)
 | Date | Session / Owner | Goal | Fallback |
 | --- | --- | --- | --- |
 | 2025-11-14 | Connector provenance schema review (Connectors + Security Guilds) | Approve signer fingerprint + issuer tier schema for `EXCITITOR-CONN-TRUST-01-001`. | If schema not ready, keep task blocked and request interim metadata list from connectors. |
 | 2025-11-15 | Export Center mirror schema sync (Export Center + Excititor + AirGap) | Receive mirror bundle manifest to unblock `EXCITITOR-AIRGAP-56/57` (schema still pending). | If delayed, escalate to Sprint 162 leads and use placeholder spec with clearly marked TODO. |
 | 2025-11-16 | Attestation verifier rehearsal (Excititor Attestation Guild) | Demo `IVexAttestationVerifier` harness + diagnostics to unblock `EXCITITOR-ATTEST-73-*`. | If issues persist, log BLOCKED status in attestation plan and re-forecast completion. |
 | 2025-11-18 | Observability span sink deploy (Ops/Signals Guild) | Enable telemetry pipeline needed for `EXCITITOR-AIAI-31-003`. | If deploy slips, implement temporary counters/logs and keep action tracker flagged as blocked. |
 ## Risks & mitigations
 | Risk | Severity | Impact | Mitigation |
 | --- | --- | --- | --- |
 | Observability sinks not ready for `EXCITITOR-AIAI-31-003` | Medium | Advisory-AI misuse would go undetected | Coordinate with Ops to reuse Signals dashboards; ship log-only fallback. |
 | Mirror bundle schema slips (Export Center/AirGap) | High | Blocks sealed-mode + portable bundles | Use placeholder schema from `docs/modules/export-center/architecture.md` and note deltas; escalate to Export Center leads. |
 | Attestation verifier misses 2025-11-16 target | High | Attestation payload tasks cannot start | Daily stand-ups with Attestation Guild; parallelize diagnostics while verifier finalizes. |
 | Connector signer metadata incomplete | Medium | Trust parity story delayed | Stage connector-specific TODOs; allow partial rollout with feature flags. |
 ## Status log
 - 2025-11-12 — Snapshot refreshed; EXCITITOR-AIAI-31-001 marked DONE, remaining tasks pending on observability, AirGap bundle schemas, and attestation verifier completion.
 - 2025-11-13 — Added readiness checklists per task cluster plus action tracker; awaiting outcomes from Export Center mirror schema delivery and Attestor verifier rehearsals before flipping AirGap/Attestation tasks to DOING.
 - 2025-11-13 (EOD) — OpenAPI draft for `EXCITITOR-AIAI-31-004` shared for review; Observability wiring blocked until Ops deploys span sink, noted above.
 - 2025-11-14 — Connector provenance schema review scheduled; awaiting schema draft delivery before meeting. Export Center mirror schema still pending, keeping `EXCITITOR-AIRGAP-56/57` blocked.
 - 2025-11-14 — `EXCITITOR-AIAI-31-003` instrumentation (request counters, chunk histogram, signature failure + guard-violation meters) merged into Excititor WebService; telemetry export remains blocked on Ops span sink rollout.
 - 2025-11-14 (PM) — Published `docs/modules/excititor/operations/observability.md` documenting the new evidence metrics so Ops/Lens can hook dashboards while waiting for the span sink deployment.
 > 2025-11-12: EXCITITOR-AIAI-31-001 delivered `/v1/vex/observations/{vulnerabilityId}/{productKey}` backed by the new `IVexObservationProjectionService`, returning normalized statements (scope tree, anchors, document metadata) so Advisory AI and Console can cite raw VEX evidence without touching consensus logic.
--- a/docs/implplan/SPRINT_120_policy_reasoning.md
+++ b/docs/implplan/SPRINT_120_policy_reasoning.md
@@ -1,84 +0,0 @@
 # Sprint 120 - Policy & Reasoning
 _Last updated: November 8, 2025. Implementation order is DOING → TODO → BLOCKED._
 Focus areas below were split out of the previous combined sprint; execute sections in order unless noted.
 ## Findings.I
 Dependency: Sprint 110.A - AdvisoryAI (must land before this track).
 Focus: Policy & Reasoning focus on Findings (phase I).
 | # | Task ID & handle | State | Key dependency / next step | Owners |
 | --- | --- | --- | --- | --- |
 | 1 | LEDGER-29-007 | TODO | Instrument metrics (`ledger_write_latency`, `projection_lag_seconds`, `ledger_events_total`), structured logs, and Merkle anchoring alerts; publish dashboards (Deps: LEDGER-29-006) | Findings Ledger Guild, Observability Guild / src/Findings/StellaOps.Findings.Ledger |
 | 2 | LEDGER-29-008 | TODO | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant (Deps: LEDGER-29-007) | Findings Ledger Guild, QA Guild / src/Findings/StellaOps.Findings.Ledger |
 | 3 | LEDGER-29-009 | TODO | Provide deployment manifests (Helm/Compose), backup/restore guidance, Merkle anchor externalization (optional), and offline kit instructions (Deps: LEDGER-29-008) | Findings Ledger Guild, DevOps Guild / src/Findings/StellaOps.Findings.Ledger |
 | 4 | LEDGER-34-101 | TODO | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries (Deps: LEDGER-29-009) | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger |
 | 5 | LEDGER-AIRGAP-56-001 | TODO | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger |
 | 6 | LEDGER-AIRGAP-56-002 | TODO | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging (Deps: LEDGER-AIRGAP-56-001) | Findings Ledger Guild, AirGap Time Guild / src/Findings/StellaOps.Findings.Ledger |
 | 7 | LEDGER-AIRGAP-57-001 | TODO | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works (Deps: LEDGER-AIRGAP-56-002) | Findings Ledger Guild, Evidence Locker Guild / src/Findings/StellaOps.Findings.Ledger |
 | 8 | LEDGER-AIRGAP-58-001 | TODO | Emit timeline events for bundle import impacts (new findings, remediation changes) with sealed-mode context (Deps: LEDGER-AIRGAP-57-001) | Findings Ledger Guild, AirGap Controller Guild / src/Findings/StellaOps.Findings.Ledger |
 | 9 | LEDGER-ATTEST-73-001 | TODO | Persist pointers from findings to verification reports and attestation envelopes for explainability | Findings Ledger Guild, Attestor Service Guild / src/Findings/StellaOps.Findings.Ledger |
 ## Findings.I scope & goals
 - Deliver ledger observability baselines (`LEDGER-29-007/008/009`) so Policy teams can trust ingestion, anchoring, and replay at >5 M findings/tenant.
 - Extend ledger provenance to cover orchestrator jobs, air-gapped bundle imports, and attestation evidence (`LEDGER-34-101`, `LEDGER-AIRGAP-*`, `LEDGER-ATTEST-73-001`).
 - Ship deployment collateral (Helm/Compose, backup/restore, offline kit) and documentation so downstream guilds can adopt without bespoke guidance.
 ### Entry criteria
 - Sprint 110.A AdvisoryAI deliverables must be complete (raw findings parity, provenance contracts).
 - Observability Guild approves metric names/labels for `ledger_*` series.
 - Mirror bundle schemas (AirGap kits) published so `LEDGER-AIRGAP-*` tasks can reference stable fields.
 ### Exit criteria
 - Metrics/logs/dashboards live in ops telemetry packs with alert wiring.
 - Determinism/load harness produces signed report for 5 M findings/tenant scenario.
 - Deployment manifests + offline kit instructions reviewed by DevOps/AirGap guilds.
 - Ledger records referential pointers to orchestrator runs, bundle provenance, and attestation envelopes.
 ## Task clusters & owners
 | Cluster | Linked tasks | Owners | Status snapshot | Notes |
 | --- | --- | --- | --- | --- |
 | Observability & diagnostics | LEDGER-29-007/008 | Findings Ledger Guild · Observability Guild · QA Guild | TODO | Metric/log spec captured in `docs/modules/findings-ledger/observability.md`; determinism harness spec added in `docs/modules/findings-ledger/replay-harness.md`; sequencing captured in `docs/modules/findings-ledger/implementation_plan.md`; awaiting Observability sign-off + Grafana JSON export (target 2025-11-15). |
 | Deployment & backup | LEDGER-29-009 | Findings Ledger Guild · DevOps Guild | TODO | Baseline deployment/backup guide published (`docs/modules/findings-ledger/deployment.md`); need to align Compose/Helm overlays + automate migrations. |
 | Orchestrator provenance | LEDGER-34-101 | Findings Ledger Guild | TODO | Blocked until Orchestrator exports job ledger payload; coordinate with Sprint 150.A. |
 | Air-gap provenance & staleness | LEDGER-AIRGAP-56/57/58 series | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | TODO | Requirements captured in `docs/modules/findings-ledger/airgap-provenance.md`; blocked on mirror bundle schema freeze + AirGap controller inputs. |
 | Attestation linkage | LEDGER-ATTEST-73-001 | Findings Ledger Guild · Attestor Service Guild | TODO | Waiting on attestation payload pointers from NOTIFY-ATTEST-74-001 work to reuse DSSE IDs. |
 ## Milestones & dependencies
 | Target date | Milestone | Dependency / owner | Notes |
 | --- | --- | --- | --- |
 | 2025-11-15 | Metrics + dashboard schema sign-off | Observability Guild | Unblocks LEDGER-29-007 instrumentation PR. |
 | 2025-11-18 | Determinism + replay harness dry-run at 5 M findings | QA Guild | Required before LEDGER-29-008 can close. |
 | 2025-11-20 | Helm/Compose manifests + backup doc review | DevOps Guild · AirGap Controller Guild | Needed for LEDGER-29-009 + LEDGER-AIRGAP-56-001. |
 | 2025-11-22 | Mirror bundle provenance schema freeze | AirGap Time Guild | Enables LEDGER-AIRGAP-56/57/58 sequencing. |
 | 2025-11-25 | Orchestrator ledger export contract signed | Orchestrator Guild | Prereq for LEDGER-34-101 linkage. |
 ## Risks & mitigations
 - **Metric churn** — Observability schema changes could slip schedule. Mitigation: lock metric names by Nov 15 and document in `docs/observability/policy.md`.
 - **Replay workload** — 5 M findings load tests may exceed lab capacity. Mitigation: leverage existing QA replay rig, capture CPU/memory budgets for runbooks.
 - **Air-gap drift** — Mirror bundle format still moving. Mitigation: version provenance schema, gate LEDGER-AIRGAP-* merge until doc + manifest updates reviewed.
 - **Cross-guild lag** — Orchestrator/Attestor dependencies may delay provenance pointers. Mitigation: weekly sync notes in sprint log; add feature flags so ledger work can merge behind toggles.
 ## External dependency tracker
 | Dependency | Current state (2025-11-13) | Impact |
 | --- | --- | --- |
 | Sprint 110.A AdvisoryAI | DONE | Enables Findings.I start; monitor regressions. |
 | Observability metric schema | IN REVIEW | Blocks LEDGER-29-007/008 dashboards. |
 | Orchestrator job export contract | TODO | Required for LEDGER-34-101; tracked in Sprint 150.A wave table. |
 | Mirror bundle schema | DRAFT | Needed for LEDGER-AIRGAP-56/57/58 messaging + manifests. |
 | Attestation pointer schema | DRAFT | Needs alignment with NOTIFY-ATTEST-74-001 to reuse DSSE IDs. |
 ## Coordination log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-13 09:30 | Documented Findings.I scope, milestones, and external dependencies; awaiting Observability + Orchestrator inputs before flipping any tasks to DOING. | Findings Ledger Guild |
 | 2025-11-13 10:45 | Published `docs/modules/findings-ledger/observability.md` detailing metrics/logs/alerts required for LEDGER-29-007/008; sent draft to Observability Guild for review. | Findings Ledger Guild |
 | 2025-11-13 11:20 | Added `docs/modules/findings-ledger/deployment.md` covering Compose/Helm rollout, migrations, backup/restore, and offline workflows for LEDGER-29-009. | Findings Ledger Guild |
 | 2025-11-13 11:50 | Added `docs/modules/findings-ledger/replay-harness.md` outlining fixtures, CLI workflow, and reporting for LEDGER-29-008 determinism tests. | Findings Ledger Guild |
 | 2025-11-13 12:05 | Drafted `docs/modules/findings-ledger/implementation_plan.md` summarizing phase sequencing and dependencies for Findings.I. | Findings Ledger Guild |
 | 2025-11-13 12:25 | Authored `docs/modules/findings-ledger/airgap-provenance.md` detailing bundle provenance, staleness, evidence snapshot, and timeline requirements for LEDGER-AIRGAP-56/57/58. | Findings Ledger Guild |
--- a/docs/implplan/SPRINT_186_record_deterministic_execution.md
+++ b/docs/implplan/SPRINT_186_record_deterministic_execution.md
@@ -18,6 +18,9 @@ SCAN-DETER-186-009 | TODO | Build a determinism harness that replays N scans per
 SCAN-DETER-186-010 | TODO | Emit and publish `determinism.json` (scores, artifact hashes, non-identical diffs) alongside each scanner release via CAS/object storage APIs (documented in `docs/modules/scanner/determinism-score.md`). | Scanner Guild, Export Center Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/operations/release.md`)
 SCAN-ENTROPY-186-011 | TODO | Implement entropy analysis for ELF/PE/Mach-O executables and large opaque blobs (sliding-window metrics, section heuristics), flagging high-entropy regions and recording offsets/hints (see `docs/modules/scanner/entropy.md`). | Scanner Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Scanner/__Libraries`)
 SCAN-ENTROPY-186-012 | TODO | Generate `entropy.report.json` and image-level penalties, attach evidence to scan manifests/attestations, and expose opaque ratios for downstream policy engines (`docs/modules/scanner/entropy.md`). | Scanner Guild, Provenance Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/replay/DETERMINISTIC_REPLAY.md`)
 SCAN-CACHE-186-013 | TODO | Implement layer-level SBOM/VEX cache keyed by (layer digest + manifest hash + tool/feed/policy IDs); re-verify DSSE attestations on cache hits and persist indexes for reuse/diagnostics; document in `docs/modules/scanner/architecture.md` referencing the 16-Nov-2026 layer cache advisory. | Scanner Guild (`src/Scanner/StellaOps.Scanner.WebService`, `src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`)
 SCAN-DIFF-CLI-186-014 | TODO | Add deterministic diff-aware rescan workflow (writes `scan.lock.json`, emits JSON Patch diffs, CLI verbs `stella scan --emit-diff` and `stella diff`) with replayable tests and docs aligned to the 15/16-Nov diff-aware advisories. | Scanner Guild · CLI Guild (`src/Scanner/StellaOps.Scanner.WebService`, `src/Cli/StellaOps.Cli`, `tests/Scanner`, `docs/modules/scanner/operations/release.md`)
 SBOM-BRIDGE-186-015 | TODO | Establish SPDX 3.0.1 as canonical SBOM persistence and build a deterministic CycloneDX 1.6 exporter (mapping table + library); update scanner/SBOM docs and wire snapshot hashes into replay manifests. | Sbomer Guild · Scanner Guild (`src/Sbomer`, `src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/architecture.md`)
 DOCS-REPLAY-186-004 | TODO | Author `docs/replay/TEST_STRATEGY.md` (golden replay, feed drift, tool upgrade) and link it from both replay docs and Scanner architecture pages. | Docs Guild (`docs`)
 > 2025-11-03: `docs/replay/TEST_STRATEGY.md` drafted — Scanner/Signer guilds should shift replay tasks to **DOING** when engineering picks up implementation.
--- a/docs/implplan/SPRINT_187_evidence_locker_cli_integration.md
+++ b/docs/implplan/SPRINT_187_evidence_locker_cli_integration.md
@@ -10,6 +10,7 @@ EVID-REPLAY-187-001 | TODO | Implement replay bundle ingestion/retention APIs in
 CLI-REPLAY-187-002 | TODO | Add `scan --record`, `verify`, `replay`, `diff` commands to the CLI with offline bundle resolution; update `docs/modules/cli/architecture.md` and add a replay commands appendix citing `docs/replay/DEVS_GUIDE_REPLAY.md`. | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`, `docs/modules/cli/architecture.md`)
 ATTEST-REPLAY-187-003 | TODO | Wire Attestor/Rekor anchoring for replay manifests and capture verification APIs; extend `docs/modules/attestor/architecture.md` with a replay ledger flow referencing `docs/replay/DETERMINISTIC_REPLAY.md` Section 9. | Attestor Guild (`src/Attestor/StellaOps.Attestor`, `docs/modules/attestor/architecture.md`)
 RUNBOOK-REPLAY-187-004 | TODO | Publish `/docs/runbooks/replay_ops.md` covering retention enforcement, RootPack rotation, offline kits, and verification drills; cross-link from replay specification summary. | Docs Guild, Ops Guild (`docs`)
 VALIDATE-BUNDLE-187-005 | TODO | Deliver `VALIDATION_PLAN.md`, harness scripts (A/B quiet vs baseline, provenance bundle export), and a `stella bundle verify` CLI subcommand that checks DSSE/Rekor/SBOM/policy/replay claims end-to-end for offline audits. | QA Guild · CLI Guild · Docs Guild (`docs/validation`, `scripts/validation`, `src/Cli/StellaOps.Cli`)
 EVID-CRYPTO-90-001 | TODO | Route Evidence Locker hashing/signing (manifest digests, DSSE assembly, bundle encryption) through `ICryptoProviderRegistry`/`ICryptoHash` so sovereign profiles (e.g., `ru-offline`) can swap providers per `docs/security/crypto-routing-audit-2025-11-07.md`. | Evidence Locker Guild, Security Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`)
 > 2025-11-03: `/docs/runbooks/replay_ops.md` created — Evidence Locker, CLI, Attestor teams can transition replay delivery tasks to **DOING** alongside Ops runbook rehearsals.
--- a/docs/implplan/SPRINT_401_reachability_evidence_chain.md
+++ b/docs/implplan/SPRINT_401_reachability_evidence_chain.md
@@ -55,5 +55,8 @@ _Theme:_ Finish the provable reachability pipeline (graph CAS → replay → DSS
 | PROV-INLINE-401-028 | DONE | Extend Authority/Feedser event writers to attach inline DSSE + Rekor references on every SBOM/VEX/scan event using `StellaOps.Provenance.Mongo`. | Authority Guild · Feedser Guild (`docs/provenance/inline-dsse.md`, `src/__Libraries/StellaOps.Provenance.Mongo`) |
 | PROV-BACKFILL-401-029 | DOING | Backfill historical Mongo events with DSSE/Rekor metadata by resolving known attestations per subject digest (wiring ingestion helpers + endpoint tests in progress). | Platform Guild (`docs/provenance/inline-dsse.md`, `scripts/publish_attestation_with_provenance.sh`) |
 | PROV-INDEX-401-030 | TODO | Deploy provenance indexes (`events_by_subject_kind_provenance`, etc.) and expose compliance/replay queries. | Platform Guild · Ops Guild (`docs/provenance/inline-dsse.md`, `ops/mongo/indices/events_provenance_indices.js`) |
 | QA-CORPUS-401-031 | TODO | Build and publish the multi-runtime reachability corpus (Go/.NET/Python/Rust) with EXPECT.yaml ground truths and captured traces; wire fixtures into CI so reachability scoring and VEX proofs are continuously validated. | QA Guild · Scanner Guild (`tests/reachability`, `docs/reachability/DELIVERY_GUIDE.md`) |
 | UI-VEX-401-032 | TODO | Add UI/CLI “Explain/Verify” surfaces on VEX decisions (show call paths, runtime hits, attestation verify button) and align with reachability evidence output. | UI Guild · CLI Guild · Scanner Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/reachability/function-level-evidence.md`) |
 | POLICY-GATE-401-033 | TODO | Enforce policy gate requiring reachability evidence for `not_affected`/`unreachable` VEX outcomes; fall back to “under review” when symbol confidence is low; update policy docs and tests. | Policy Guild · Scanner Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/policy/dsl.md`, `docs/modules/scanner/architecture.md`) |
 > Use `docs/reachability/DELIVERY_GUIDE.md` for architecture context, dependencies, and acceptance tests.
--- a/docs/implplan/archived/all-tasks.md
+++ b/docs/implplan/archived/all-tasks.md
--- a/docs/implplan/archived/updates/2025-10-18-docs-guild.md
+++ b/docs/implplan/archived/updates/2025-10-18-docs-guild.md
@@ -1,14 +1,14 @@
-# Docs Guild Update — 2025-10-18
+# Docs Guild Update — 2025-10-18
-
+
-**Subject:** ADR process + events schema validation shipped  
+**Subject:** ADR process + events schema validation shipped  
-**Audience:** Docs Guild, DevEx, Platform Events
+**Audience:** Docs Guild, DevEx, Platform Events
-
+
- Published the ADR contribution guide at `docs/adr/index.md` and enriched the template to capture authorship, deciders, and alternatives. All new cross-module decisions should follow this workflow.
+- Published the ADR contribution guide at `docs/adr/index.md` and enriched the template to capture authorship, deciders, and alternatives. All new cross-module decisions should follow this workflow.
- Linked the ADR hub from `docs/README.md` so operators and engineers can discover the process without digging through directories.
+- Linked the ADR hub from `docs/README.md` so operators and engineers can discover the process without digging through directories.
- Extended Docs CI (`.gitea/workflows/docs.yml`) to compile event schemas with Ajv (including `ajv-formats`) and documented the local loop in `docs/events/README.md`.
+- Extended Docs CI (`.gitea/workflows/docs.yml`) to compile event schemas with Ajv (including `ajv-formats`) and documented the local loop in `docs/events/README.md`.
- Captured the mirror/offline workflow in `docs/ci/20_CI_RECIPES.md` so runners know how to install the Ajv toolchain and publish previews without internet access.
+- Captured the mirror/offline workflow in `docs/ci/20_CI_RECIPES.md` so runners know how to install the Ajv toolchain and publish previews without internet access.
- Validated `scanner.report.ready@1`, `scheduler.rescan.delta@1`, and `attestor.logged@1` schemas locally to unblock Platform Events acknowledgements.
+- Validated `scanner.report.ready@1`, `scheduler.rescan.delta@1`, and `attestor.logged@1` schemas locally to unblock Platform Events acknowledgements.
-
+
-Next steps:
+Next steps:
- Platform Events to confirm Notify/Scheduler consumers have visibility into the schema docs.
+- Platform Events to confirm Notify/Scheduler consumers have visibility into the schema docs.
- DevEx to add ADR announcement blurb to the next sprint recap if broader broadcast is needed.
+- DevEx to add ADR announcement blurb to the next sprint recap if broader broadcast is needed.
--- a/docs/implplan/archived/updates/2025-10-19-docs-guild.md
+++ b/docs/implplan/archived/updates/2025-10-19-docs-guild.md
@@ -1,12 +1,12 @@
-# Docs Guild Update — 2025-10-19
+# Docs Guild Update — 2025-10-19
-
+
-**Subject:** Event envelope reference & canonical samples
+**Subject:** Event envelope reference & canonical samples
-**Audience:** Docs Guild, Platform Events, Runtime Guild
+**Audience:** Docs Guild, Platform Events, Runtime Guild
-
+
- Extended `docs/events/README.md` with envelope field tables, offline validation commands, and guidance for optional payload fields.
+- Extended `docs/events/README.md` with envelope field tables, offline validation commands, and guidance for optional payload fields.
- Added canonical sample payloads under `docs/events/samples/` for `scanner.report.ready@1`, `scheduler.rescan.delta@1`, and `attestor.logged@1`; validated them with `ajv-cli` to match the published schemas.
+- Added canonical sample payloads under `docs/events/samples/` for `scanner.report.ready@1`, `scheduler.rescan.delta@1`, and `attestor.logged@1`; validated them with `ajv-cli` to match the published schemas.
- Documented the validation loop so air-gapped operators can mirror the CI checks before rolling new event versions.
+- Documented the validation loop so air-gapped operators can mirror the CI checks before rolling new event versions.
-
+
-Next steps:
+Next steps:
- Platform Events to embed the canonical samples into their contract tests.
+- Platform Events to embed the canonical samples into their contract tests.
- Runtime Guild checklist for quieted finding counts & progress hints published in `docs/runtime/SCANNER_RUNTIME_READINESS.md`; gather stakeholder sign-off.
+- Runtime Guild checklist for quieted finding counts & progress hints published in `docs/runtime/SCANNER_RUNTIME_READINESS.md`; gather stakeholder sign-off.
--- a/docs/implplan/archived/updates/2025-10-19-platform-events.md
+++ b/docs/implplan/archived/updates/2025-10-19-platform-events.md
@@ -1,10 +1,10 @@
-# Platform Events Update — 2025-10-19
+# Platform Events Update — 2025-10-19
-
+
-**Subject:** Canonical event samples enforced across tests & CI  
+**Subject:** Canonical event samples enforced across tests & CI  
-**Audience:** Platform Events Guild, Notify Guild, Scheduler Guild, Docs Guild
+**Audience:** Platform Events Guild, Notify Guild, Scheduler Guild, Docs Guild
-
+
- Scanner WebService contract tests deserialize `scanner.report.ready@1` and `scanner.scan.completed@1` samples, validating DSSE payloads and canonical ordering via `NotifyCanonicalJsonSerializer`.
+- Scanner WebService contract tests deserialize `scanner.report.ready@1` and `scanner.scan.completed@1` samples, validating DSSE payloads and canonical ordering via `NotifyCanonicalJsonSerializer`.
- Notify and Scheduler model suites now round-trip the published event samples (including `attestor.logged@1` and `scheduler.rescan.delta@1`) to catch drift in consumer expectations.
+- Notify and Scheduler model suites now round-trip the published event samples (including `attestor.logged@1` and `scheduler.rescan.delta@1`) to catch drift in consumer expectations.
- Docs CI (`.gitea/workflows/docs.yml`) validates every sample against its schema with `ajv-cli`, keeping offline bundles and repositories aligned.
+- Docs CI (`.gitea/workflows/docs.yml`) validates every sample against its schema with `ajv-cli`, keeping offline bundles and repositories aligned.
-
+
-No additional follow-ups — downstream teams can rely on the committed samples for integration coverage.
+No additional follow-ups — downstream teams can rely on the committed samples for integration coverage.
--- a/docs/implplan/archived/updates/2025-10-19-scanner-policy.md
+++ b/docs/implplan/archived/updates/2025-10-19-scanner-policy.md
@@ -1,5 +1,5 @@
-# 2025-10-19 – Scanner ↔ Policy Sync
+# 2025-10-19 – Scanner ↔ Policy Sync
-
+
- Scanner WebService now emits `scanner.report.ready` and `scanner.scan.completed` via Redis Streams when `scanner.events.enabled=true`; DSSE envelopes are embedded verbatim to keep Notify/UI consumers in sync.
+- Scanner WebService now emits `scanner.report.ready` and `scanner.scan.completed` via Redis Streams when `scanner.events.enabled=true`; DSSE envelopes are embedded verbatim to keep Notify/UI consumers in sync.
- Config plumbing introduces `scanner:events:*` settings (driver, DSN, stream, publish timeout) with validation and Redis-backed publisher wiring.
+- Config plumbing introduces `scanner:events:*` settings (driver, DSN, stream, publish timeout) with validation and Redis-backed publisher wiring.
- Policy Guild coordination task `POLICY-RUNTIME-17-201` opened to track Zastava runtime feed contract; `SCANNER-RUNTIME-17-401` now depends on it so reachability tags stay aligned once runtime endpoints ship.
+- Policy Guild coordination task `POLICY-RUNTIME-17-201` opened to track Zastava runtime feed contract; `SCANNER-RUNTIME-17-401` now depends on it so reachability tags stay aligned once runtime endpoints ship.
--- a/docs/implplan/archived/updates/2025-10-19-scheduler-storage.md
+++ b/docs/implplan/archived/updates/2025-10-19-scheduler-storage.md
@@ -1,8 +1,8 @@
-# Scheduler Storage Update — 2025-10-19
+# Scheduler Storage Update — 2025-10-19
-
+
-**Subject:** Mongo bootstrap + canonical fixtures  
+**Subject:** Mongo bootstrap + canonical fixtures  
-**Audience:** Scheduler Storage Guild, Scheduler WebService/Worker teams
+**Audience:** Scheduler Storage Guild, Scheduler WebService/Worker teams
-
+
- Added `StellaOps.Scheduler.Storage.Mongo` bootstrap (`AddSchedulerMongoStorage`) with collection/index migrations for schedules, runs (incl. TTL), impact snapshots, audit, and locks.
+- Added `StellaOps.Scheduler.Storage.Mongo` bootstrap (`AddSchedulerMongoStorage`) with collection/index migrations for schedules, runs (incl. TTL), impact snapshots, audit, and locks.
- Introduced Mongo2Go-backed tests that round-trip the published scheduler samples (`samples/api/scheduler/*.json`) to ensure canonical JSON stays intact.
+- Introduced Mongo2Go-backed tests that round-trip the published scheduler samples (`samples/api/scheduler/*.json`) to ensure canonical JSON stays intact.
- `ISchedulerMongoInitializer.EnsureMigrationsAsync` now provides the single entry point for WebService/Worker hosts to apply migrations at startup.
+- `ISchedulerMongoInitializer.EnsureMigrationsAsync` now provides the single entry point for WebService/Worker hosts to apply migrations at startup.
--- a/docs/implplan/archived/updates/2025-10-20-authority-identity-registry.md
+++ b/docs/implplan/archived/updates/2025-10-20-authority-identity-registry.md
@@ -1,14 +1,14 @@
-# 2025-10-20 — Authority Identity Provider Registry & DPoP nonce updates
+# 2025-10-20 — Authority Identity Provider Registry & DPoP nonce updates
-
+
-## Summary
+## Summary
- Authority host now resolves identity providers through the new metadata/handle pattern introduced in `StellaOps.Authority.Plugins.Abstractions`. Runtime handlers (`ValidateClientCredentialsHandler`, `ValidatePasswordGrantHandler`, `ValidateAccessTokenHandler`, bootstrap endpoints) acquire providers with `IAuthorityIdentityProviderRegistry.AcquireAsync` and rely on metadata (`AuthorityIdentityProviderMetadata`) for capability checks.
+- Authority host now resolves identity providers through the new metadata/handle pattern introduced in `StellaOps.Authority.Plugins.Abstractions`. Runtime handlers (`ValidateClientCredentialsHandler`, `ValidatePasswordGrantHandler`, `ValidateAccessTokenHandler`, bootstrap endpoints) acquire providers with `IAuthorityIdentityProviderRegistry.AcquireAsync` and rely on metadata (`AuthorityIdentityProviderMetadata`) for capability checks.
- Unit and integration tests build lightweight `ServiceProvider` instances with test plugins, matching production DI behaviour and ensuring the new registry contract is exercised.
+- Unit and integration tests build lightweight `ServiceProvider` instances with test plugins, matching production DI behaviour and ensuring the new registry contract is exercised.
- DPoP nonce enforcement now prefers `NormalizedAudiences` when populated and gracefully falls back to the configured `RequiredAudiences`, eliminating the runtime type mismatch that previously surfaced during test runs.
+- DPoP nonce enforcement now prefers `NormalizedAudiences` when populated and gracefully falls back to the configured `RequiredAudiences`, eliminating the runtime type mismatch that previously surfaced during test runs.
-
+
-## Operator impact
+## Operator impact
- No configuration changes are required; existing YAML and environment-based settings continue to function.
+- No configuration changes are required; existing YAML and environment-based settings continue to function.
- Documentation examples referencing password/mTLS bootstrap flows remain accurate. The new registry logic simply ensures providers advertised in configuration are resolved deterministically and capability-gated before use.
+- Documentation examples referencing password/mTLS bootstrap flows remain accurate. The new registry logic simply ensures providers advertised in configuration are resolved deterministically and capability-gated before use.
-
+
-## Developer notes
+## Developer notes
- When adding new identity providers or tests, register plugins via `ServiceCollection` and call `new AuthorityIdentityProviderRegistry(serviceProvider, logger)`.
+- When adding new identity providers or tests, register plugins via `ServiceCollection` and call `new AuthorityIdentityProviderRegistry(serviceProvider, logger)`.
- For DPoP-required endpoints, populate `security.senderConstraints.dpop.nonce.requiredAudiences` or rely on defaults; both now funnel through the normalized set.
+- For DPoP-required endpoints, populate `security.senderConstraints.dpop.nonce.requiredAudiences` or rely on defaults; both now funnel through the normalized set.
--- a/docs/implplan/archived/updates/2025-10-20-scanner-events.md
+++ b/docs/implplan/archived/updates/2025-10-20-scanner-events.md
--- a/docs/implplan/archived/updates/2025-10-22-docs-guild.md
+++ b/docs/implplan/archived/updates/2025-10-22-docs-guild.md
@@ -1,13 +1,13 @@
-# Docs Guild Update — 2025-10-22
+# Docs Guild Update — 2025-10-22
-
+
-**Subject:** Concelier Authority toggle rollout polish  
+**Subject:** Concelier Authority toggle rollout polish  
-**Audience:** Docs Guild, Concelier WebService Guild, Authority Core
+**Audience:** Docs Guild, Concelier WebService Guild, Authority Core
-
+
- Added a rollout phase table to `docs/10_CONCELIER_CLI_QUICKSTART.md`, clarifying how `authority.enabled` and `authority.allowAnonymousFallback` move from validation to enforced mode and highlighting the audit/metric signals to watch at each step.
+- Added a rollout phase table to `docs/10_CONCELIER_CLI_QUICKSTART.md`, clarifying how `authority.enabled` and `authority.allowAnonymousFallback` move from validation to enforced mode and highlighting the audit/metric signals to watch at each step.
- Extended the Authority integration checklist in the same quickstart so operators tie CLI smoke tests to audit counters before flipping enforcement.
+- Extended the Authority integration checklist in the same quickstart so operators tie CLI smoke tests to audit counters before flipping enforcement.
- Refreshed `docs/modules/concelier/operations/authority-audit-runbook.md` with the latest date stamp, prerequisites, and pre-check guidance that reference the quickstart timeline; keeps change-request templates aligned.
+- Refreshed `docs/modules/concelier/operations/authority-audit-runbook.md` with the latest date stamp, prerequisites, and pre-check guidance that reference the quickstart timeline; keeps change-request templates aligned.
- Documented the new Go analyzer artefacts in `docs/24_OFFLINE_KIT.md` (manifest excerpt + tarball smoke test) so Ops can confirm the plug-in ships in the 2025‑10‑22 bundle before promoting it to mirrors.
+- Documented the new Go analyzer artefacts in `docs/24_OFFLINE_KIT.md` (manifest excerpt + tarball smoke test) so Ops can confirm the plug-in ships in the 2025‑10‑22 bundle before promoting it to mirrors.
-
+
-Next steps:
+Next steps:
- Concelier WebService owners to link this update in the next deployment bulletin once FEEDWEB-DOCS-01-001 clears review.
+- Concelier WebService owners to link this update in the next deployment bulletin once FEEDWEB-DOCS-01-001 clears review.
- Docs Guild to verify the Offline Kit doc bundle picks up the quickstart/runbook changes after the nightly build.
+- Docs Guild to verify the Offline Kit doc bundle picks up the quickstart/runbook changes after the nightly build.
--- a/docs/implplan/archived/updates/2025-10-26-authority-graph-scopes.md
+++ b/docs/implplan/archived/updates/2025-10-26-authority-graph-scopes.md
@@ -1,15 +1,15 @@
-# 2025-10-26 — Authority graph scopes documentation refresh
+# 2025-10-26 — Authority graph scopes documentation refresh
-
+
-## Summary
+## Summary
-
+
- Documented least-privilege guidance for the new `graph:*` scopes in `docs/11_AUTHORITY.md` (scope mapping, tenant propagation, and DPoP expectations).
+- Documented least-privilege guidance for the new `graph:*` scopes in `docs/11_AUTHORITY.md` (scope mapping, tenant propagation, and DPoP expectations).
- Extended the sample client table/config to include Cartographer and Graph API registrations so downstream teams can copy/paste the correct defaults.
+- Extended the sample client table/config to include Cartographer and Graph API registrations so downstream teams can copy/paste the correct defaults.
- Highlighted the requirement to consume `StellaOpsScopes` constants instead of hard-coded scope strings across services.
+- Highlighted the requirement to consume `StellaOpsScopes` constants instead of hard-coded scope strings across services.
-
+
-## Next steps
+## Next steps
-
+
-| Team | Follow-up | Target |
+| Team | Follow-up | Target |
-|------|-----------|--------|
+|------|-----------|--------|
-| Authority Core | Ensure `/jwks` changelog references graph scope rollout in next release note. | 2025-10-28 |
+| Authority Core | Ensure `/jwks` changelog references graph scope rollout in next release note. | 2025-10-28 |
-| Graph API Guild | Update gateway scaffolding to request scopes from `StellaOpsScopes` once the host project lands. | Sprint 21 stand-up |
+| Graph API Guild | Update gateway scaffolding to request scopes from `StellaOpsScopes` once the host project lands. | Sprint 21 stand-up |
-| Scheduler Guild | Confirm Cartographer client onboarding uses the new sample secret templates. | Sprint 21 stand-up |
+| Scheduler Guild | Confirm Cartographer client onboarding uses the new sample secret templates. | Sprint 21 stand-up |
--- a/docs/implplan/archived/updates/2025-10-26-scheduler-graph-jobs.md
+++ b/docs/implplan/archived/updates/2025-10-26-scheduler-graph-jobs.md
--- a/docs/implplan/archived/updates/2025-10-27-console-security-signoff.md
+++ b/docs/implplan/archived/updates/2025-10-27-console-security-signoff.md
@@ -1,48 +1,48 @@
-# Console Security Checklist Sign-off — 2025-10-27
+# Console Security Checklist Sign-off — 2025-10-27
-
+
-## Summary
+## Summary
-
+
- Security Guild completed the console security compliance checklist from [`docs/security/console-security.md`](../security/console-security.md) against the Sprint 23 build.
+- Security Guild completed the console security compliance checklist from [`docs/security/console-security.md`](../security/console-security.md) against the Sprint 23 build.
- No blocking findings. One observability note (raise Grafana burn-rate alert to SLO board) was addressed during the run; no follow-up tickets required.
+- No blocking findings. One observability note (raise Grafana burn-rate alert to SLO board) was addressed during the run; no follow-up tickets required.
- Result: **PASS** – console may progress with Sprint 23 release gating.
+- Result: **PASS** – console may progress with Sprint 23 release gating.
-
+
-## Authority client validation
+## Authority client validation
-
+
- Ran `stella authority clients show console-ui` in staging; confirmed `pkce.enforced=true`, `dpop.required=true`, and `claim.requireTenant=true`.
+- Ran `stella authority clients show console-ui` in staging; confirmed `pkce.enforced=true`, `dpop.required=true`, and `claim.requireTenant=true`.
- Verified scope bundle matches §3 (baseline `ui.read`, admin set, and per-feature scopes). Results archived under `ops/evidence/console-ui-client-2025-10-27.json`.
+- Verified scope bundle matches §3 (baseline `ui.read`, admin set, and per-feature scopes). Results archived under `ops/evidence/console-ui-client-2025-10-27.json`.
-
+
-## CSP enforcement
+## CSP enforcement
-
+
- Inspected rendered response headers via `curl -I https://console.stg.stellaops.local/` – CSP matches §4 defaults (`default-src 'self'`, `connect-src 'self' https://*.internal`), HSTS + Referrer-Policy present.
+- Inspected rendered response headers via `curl -I https://console.stg.stellaops.local/` – CSP matches §4 defaults (`default-src 'self'`, `connect-src 'self' https://*.internal`), HSTS + Referrer-Policy present.
- Helm overrides reviewed (`deploy/helm/stellaops/values-prod.yaml`); no extra origins declared.
+- Helm overrides reviewed (`deploy/helm/stellaops/values-prod.yaml`); no extra origins declared.
-
+
-## Fresh-auth timer
+## Fresh-auth timer
-
+
- Executed Playwright admin flow: promoted policy revisions twice; observed fresh-auth modal after 5 minutes idle.
+- Executed Playwright admin flow: promoted policy revisions twice; observed fresh-auth modal after 5 minutes idle.
- Authority audit feed shows `authority.fresh_auth.success` and `authority.policy.promote` entries sharing correlation IDs.
+- Authority audit feed shows `authority.fresh_auth.success` and `authority.policy.promote` entries sharing correlation IDs.
-
+
-## DPoP binding test
+## DPoP binding test
-
+
- Replayed captured bearer token without DPoP proof; Gateway returned `401` and incremented `ui_dpop_failure_total`.
+- Replayed captured bearer token without DPoP proof; Gateway returned `401` and incremented `ui_dpop_failure_total`.
- Confirmed logs contain `ui.security.anomaly` event with matching `traceId`.
+- Confirmed logs contain `ui.security.anomaly` event with matching `traceId`.
-
+
-## Offline mode exercise
+## Offline mode exercise
-
+
- Deployed console with `console.offlineMode=true`; Offline banner rendered, SSE disabled, CLI guidance surfaced on runs/downloads pages.
+- Deployed console with `console.offlineMode=true`; Offline banner rendered, SSE disabled, CLI guidance surfaced on runs/downloads pages.
- Imported Offline Kit manifest; parity checks report `OK` status.
+- Imported Offline Kit manifest; parity checks report `OK` status.
-
+
-## Evidence parity
+## Evidence parity
-
+
- Downloaded run evidence bundle via UI, re-exported via CLI `stella runs export --run <id>`; SHA-256 digests match.
+- Downloaded run evidence bundle via UI, re-exported via CLI `stella runs export --run <id>`; SHA-256 digests match.
- Verified Downloads workspace never caches bundle contents (only manifest metadata stored).
+- Verified Downloads workspace never caches bundle contents (only manifest metadata stored).
-
+
-## Monitoring & alerts
+## Monitoring & alerts
-
+
- Grafana board `console-security.json` linked to alerts: `ui_request_duration_seconds` burn-rate, DPoP failure count, downloads manifest verification failures.
+- Grafana board `console-security.json` linked to alerts: `ui_request_duration_seconds` burn-rate, DPoP failure count, downloads manifest verification failures.
- PagerDuty playbook references `docs/security/console-security.md` §6 for incident steps.
+- PagerDuty playbook references `docs/security/console-security.md` §6 for incident steps.
-
+
-## Sign-off
+## Sign-off
-
+
- Reviewed by **Security Guild** (lead: `@sec-lfox`).  
+- Reviewed by **Security Guild** (lead: `@sec-lfox`).  
- Sign-off recorded in Sprint 23 tracker (corresponding sprint file `docs/implplan/SPRINT_*.md`, `DOCS-CONSOLE-23-018`).
+- Sign-off recorded in Sprint 23 tracker (corresponding sprint file `docs/implplan/SPRINT_*.md`, `DOCS-CONSOLE-23-018`).
-
+
--- a/docs/implplan/archived/updates/2025-10-27-orch-operator-scope.md
+++ b/docs/implplan/archived/updates/2025-10-27-orch-operator-scope.md
@@ -1,15 +1,15 @@
-# 2025-10-27 — Orchestrator operator scope & audit metadata
+# 2025-10-27 — Orchestrator operator scope & audit metadata
-
+
-## Summary
+## Summary
-
+
- Introduced the `orch:operate` scope and `Orch.Operator` role in Authority to unlock Orchestrator control actions while keeping read-only access under `Orch.Viewer`.
+- Introduced the `orch:operate` scope and `Orch.Operator` role in Authority to unlock Orchestrator control actions while keeping read-only access under `Orch.Viewer`.
- Authority now enforces `operator_reason` and `operator_ticket` parameters on `/token` requests that include `orch:operate`; missing values yield `invalid_request` and no token is issued.
+- Authority now enforces `operator_reason` and `operator_ticket` parameters on `/token` requests that include `orch:operate`; missing values yield `invalid_request` and no token is issued.
- Client credentials audit events capture both fields (`request.reason`, `request.ticket`), giving SecOps traceability for every control action.
+- Client credentials audit events capture both fields (`request.reason`, `request.ticket`), giving SecOps traceability for every control action.
-
+
-## Next steps
+## Next steps
-
+
-| Team | Follow-up | Target |
+| Team | Follow-up | Target |
-|------|-----------|--------|
+|------|-----------|--------|
-| Console Guild | Wire UI control panels to request `operator_reason`/`operator_ticket` when exchanging tokens for orchestrator actions. | Sprint 23 stand-up |
+| Console Guild | Wire UI control panels to request `operator_reason`/`operator_ticket` when exchanging tokens for orchestrator actions. | Sprint 23 stand-up |
-| CLI Guild | Add flags to `stella orch` subcommands to pass reason/ticket metadata before enabling mutations. | Sprint 23 stand-up |
+| CLI Guild | Add flags to `stella orch` subcommands to pass reason/ticket metadata before enabling mutations. | Sprint 23 stand-up |
-| Orchestrator Service | Enforce presence of `X-Stella-Reason`/`X-Stella-Ticket` (or equivalent metadata) on mutate endpoints and align audit logging. | ORCH-SVC-33-001 implementation |
+| Orchestrator Service | Enforce presence of `X-Stella-Reason`/`X-Stella-Ticket` (or equivalent metadata) on mutate endpoints and align audit logging. | ORCH-SVC-33-001 implementation |
--- a/docs/implplan/archived/updates/2025-10-27-policy-scope-migration.md
+++ b/docs/implplan/archived/updates/2025-10-27-policy-scope-migration.md
@@ -1,15 +1,15 @@
-# 2025-10-27 — Policy scope migration guidance
+# 2025-10-27 — Policy scope migration guidance
-
+
-## Summary
+## Summary
-
+
- Updated Authority defaults (`etc/authority.yaml`) to register a `policy-cli` client using the fine-grained scope set introduced by AUTH-POLICY-23-001 (`policy:read`, `policy:author`, `policy:review`, `policy:simulate`, `findings:read`).
+- Updated Authority defaults (`etc/authority.yaml`) to register a `policy-cli` client using the fine-grained scope set introduced by AUTH-POLICY-23-001 (`policy:read`, `policy:author`, `policy:review`, `policy:simulate`, `findings:read`).
- Added release/CI documentation call-outs instructing operators to reissue tokens that previously relied on `policy:write`/`policy:submit`/`policy:run` scopes.
+- Added release/CI documentation call-outs instructing operators to reissue tokens that previously relied on `policy:write`/`policy:submit`/`policy:run` scopes.
- Introduced a repo verification script so future config changes fail CI when policy clients regress to the legacy scope bundles.
+- Introduced a repo verification script so future config changes fail CI when policy clients regress to the legacy scope bundles.
-
+
-## Next steps
+## Next steps
-
+
-| Team | Follow-up | Target |
+| Team | Follow-up | Target |
-|------|-----------|--------|
+|------|-----------|--------|
-| Authority Core | Rotate long-lived policy CLI tokens in staging to confirm new scope set before freezing release 2025.10. | 2025-10-29 |
+| Authority Core | Rotate long-lived policy CLI tokens in staging to confirm new scope set before freezing release 2025.10. | 2025-10-29 |
-| DevOps Guild | Update automation secrets (CI/CD, offline kit) to point at the regenerated `policy-cli` credentials. | Sprint 23 stand-up |
+| DevOps Guild | Update automation secrets (CI/CD, offline kit) to point at the regenerated `policy-cli` credentials. | Sprint 23 stand-up |
-| Docs Guild | Fold the broader scope matrix refresh into AUTH-POLICY-23-003 once the dual-approval workflow lands. | Blocked on AUTH-POLICY-23-002 |
+| Docs Guild | Fold the broader scope matrix refresh into AUTH-POLICY-23-003 once the dual-approval workflow lands. | Blocked on AUTH-POLICY-23-002 |
--- a/docs/implplan/archived/updates/2025-10-27-task-packs-docs.md
+++ b/docs/implplan/archived/updates/2025-10-27-task-packs-docs.md
@@ -1,15 +1,15 @@
-# Docs Guild Update — Task Pack Docs (2025-10-27)
+# Docs Guild Update — Task Pack Docs (2025-10-27)
-
+
- Added Task Pack core documentation set:
+- Added Task Pack core documentation set:
-  - `/docs/task-packs/spec.md`
+  - `/docs/task-packs/spec.md`
-  - `/docs/task-packs/authoring-guide.md`
+  - `/docs/task-packs/authoring-guide.md`
-  - `/docs/task-packs/registry.md`
+  - `/docs/task-packs/registry.md`
-  - `/docs/task-packs/runbook.md`
+  - `/docs/task-packs/runbook.md`
-  - `/docs/security/pack-signing-and-rbac.md`
+  - `/docs/security/pack-signing-and-rbac.md`
  - `/docs/modules/cli/operations/release-and-packaging.md`
- Each doc includes imposed-rule reminder, compliance checklist, and cross-links to Task Runner, Packs Registry, CLI release tasks.
+- Each doc includes imposed-rule reminder, compliance checklist, and cross-links to Task Runner, Packs Registry, CLI release tasks.
- Created asset staging instructions at `docs/assets/ui/tours/README.md` (shared with CLI enablement).
+- Created asset staging instructions at `docs/assets/ui/tours/README.md` (shared with CLI enablement).
- Circulated spec + authoring guide links to Task Runner, Packs Registry, Authority, and DevOps guild channels for technical review (2025-10-27). Target follow-up review once CLI parity tasks (`CLI-PACKS-42-001`, `CLI-PACKS-43-001`) land; tentative sync held for 2025-11-03 (Docs Guild to confirm).
+- Circulated spec + authoring guide links to Task Runner, Packs Registry, Authority, and DevOps guild channels for technical review (2025-10-27). Target follow-up review once CLI parity tasks (`CLI-PACKS-42-001`, `CLI-PACKS-43-001`) land; tentative sync held for 2025-11-03 (Docs Guild to confirm).
- Sprint tracker `DOCS-PACKS-43-001` marked DOING→DONE; follow-up reviews scheduled with Task Runner and Security guilds.
+- Sprint tracker `DOCS-PACKS-43-001` marked DOING→DONE; follow-up reviews scheduled with Task Runner and Security guilds.
-
+
 Artifacts: [Spec](../task-packs/spec.md), [Authoring guide](../task-packs/authoring-guide.md), [Registry](../task-packs/registry.md), [Runbook](../task-packs/runbook.md), [Signing/RBAC](../security/pack-signing-and-rbac.md), [CLI release runbook](../modules/cli/operations/release-and-packaging.md).
--- a/docs/implplan/archived/updates/2025-10-28-docs-guild.md
+++ b/docs/implplan/archived/updates/2025-10-28-docs-guild.md
@@ -1,26 +1,26 @@
-# Docs Guild Update — 2025-10-28
+# Docs Guild Update — 2025-10-28
-
+
-## Console security posture draft
+## Console security posture draft
-
+
- Published `docs/security/console-security.md` covering console OIDC/DPoP flow, scope map, fresh-auth sequence, CSP defaults, evidence handling, and monitoring checklist.
+- Published `docs/security/console-security.md` covering console OIDC/DPoP flow, scope map, fresh-auth sequence, CSP defaults, evidence handling, and monitoring checklist.
- Authority owners (`AUTH-CONSOLE-23-003`) to verify `/fresh-auth` token semantics (120 s OpTok, 300 s fresh-auth window) and confirm scope bundles before closing the sprint task.
+- Authority owners (`AUTH-CONSOLE-23-003`) to verify `/fresh-auth` token semantics (120 s OpTok, 300 s fresh-auth window) and confirm scope bundles before closing the sprint task.
- Security Guild requested to execute the compliance checklist in §9 and record sign-off in SPRINT 23 log once alerts/dashboards are wired (metrics references: `ui_request_duration_seconds`, `ui_dpop_failure_total`, Grafana board `console-security.json`).
+- Security Guild requested to execute the compliance checklist in §9 and record sign-off in SPRINT 23 log once alerts/dashboards are wired (metrics references: `ui_request_duration_seconds`, `ui_dpop_failure_total`, Grafana board `console-security.json`).
-
+
-## Console CLI parity matrix
+## Console CLI parity matrix
-
+
- Added `/docs/cli-vs-ui-parity.md` with feature-level status tracking (✅/🟡/🟩). Pending commands reference CLI backlog (`CLI-EXPORT-35-001`, `CLI-POLICY-23-005`, `CONSOLE-DOC-23-502`).
+- Added `/docs/cli-vs-ui-parity.md` with feature-level status tracking (✅/🟡/🟩). Pending commands reference CLI backlog (`CLI-EXPORT-35-001`, `CLI-POLICY-23-005`, `CONSOLE-DOC-23-502`).
- DevEx/CLI Guild to wire parity CI workflow when CLI downloads commands ship; Downloads workspace already links to the forthcoming parity report slot.
+- DevEx/CLI Guild to wire parity CI workflow when CLI downloads commands ship; Downloads workspace already links to the forthcoming parity report slot.
-
+
-## Accessibility refresh
+## Accessibility refresh
-
+
- Published `/docs/accessibility.md` describing keyboard flows, screen-reader behaviour, colour tokens, testing rig (Storybook axe, Playwright a11y), and offline guidance.
+- Published `/docs/accessibility.md` describing keyboard flows, screen-reader behaviour, colour tokens, testing rig (Storybook axe, Playwright a11y), and offline guidance.
- Accessibility Guild (CONSOLE-QA-23-402) to log the next Playwright a11y sweep results against the new checklist; design tokens follow-up tracked via CONSOLE-FEAT-23-102.
+- Accessibility Guild (CONSOLE-QA-23-402) to log the next Playwright a11y sweep results against the new checklist; design tokens follow-up tracked via CONSOLE-FEAT-23-102.
-
+
-Artifacts:
+Artifacts:
-
+
- Doc: `/docs/security/console-security.md`
+- Doc: `/docs/security/console-security.md`
- Doc: `/docs/cli-vs-ui-parity.md`
+- Doc: `/docs/cli-vs-ui-parity.md`
- Doc: `/docs/accessibility.md`
+- Doc: `/docs/accessibility.md`
- Sprint tracker: corresponding sprint file `docs/implplan/SPRINT_*.md` (DOCS-CONSOLE-23-012 now DONE)
+- Sprint tracker: corresponding sprint file `docs/implplan/SPRINT_*.md` (DOCS-CONSOLE-23-012 now DONE)
-
+
-cc: `@authority-core`, `@security-guild`, `@docs-guild`
+cc: `@authority-core`, `@security-guild`, `@docs-guild`
--- a/docs/implplan/archived/updates/2025-10-29-export-center-provenance.md
+++ b/docs/implplan/archived/updates/2025-10-29-export-center-provenance.md
@@ -1,9 +1,9 @@
-# 2025-10-29 – Export Center provenance/signing doc
+# 2025-10-29 – Export Center provenance/signing doc
-
+
-## Summary
+## Summary
- Authored `docs/modules/export-center/provenance-and-signing.md`, covering manifest/provenance artefacts, cosign/SLSA signing pipeline, verification workflows (CLI/CI/offline), and compliance checklist.
+- Authored `docs/modules/export-center/provenance-and-signing.md`, covering manifest/provenance artefacts, cosign/SLSA signing pipeline, verification workflows (CLI/CI/offline), and compliance checklist.
- Cross-linked the new guide from the docs index (`docs/README.md`) and referenced outstanding CLI automation (`CLI-EXPORT-37-001`) to keep verification guidance aligned with upcoming tooling.
+- Cross-linked the new guide from the docs index (`docs/README.md`) and referenced outstanding CLI automation (`CLI-EXPORT-37-001`) to keep verification guidance aligned with upcoming tooling.
-
+
-## Follow-ups
+## Follow-ups
- [ ] Revisit once `CLI-EXPORT-37-001` lands to confirm command names/flags and update the verification section if necessary.
+- [ ] Revisit once `CLI-EXPORT-37-001` lands to confirm command names/flags and update the verification section if necessary.
- [ ] Sync with DevOps (`DEVOPS-EXPORT-37-001`) after dashboards/alerts ship to embed direct links in the failure handling section.
+- [ ] Sync with DevOps (`DEVOPS-EXPORT-37-001`) after dashboards/alerts ship to embed direct links in the failure handling section.
--- a/docs/implplan/archived/updates/2025-10-29-notify-docs.md
+++ b/docs/implplan/archived/updates/2025-10-29-notify-docs.md
@@ -1,10 +1,10 @@
-# 2025-10-29 – Notifications Studio docs sync prep
+# 2025-10-29 – Notifications Studio docs sync prep
-
+
-## Summary
+## Summary
- Published Notifications Studio overview (`notifications/overview.md`) and architecture dossier (`notifications/architecture.md`), complementing the rules/templates/digests deep dives landed earlier in Sprint 39.
+- Published Notifications Studio overview (`notifications/overview.md`) and architecture dossier (`notifications/architecture.md`), complementing the rules/templates/digests deep dives landed earlier in Sprint 39.
- Captured action items to validate connector metadata, quiet-hours semantics, and simulation endpoints once `NOTIFY-SVC-39-001..004` merge.
+- Captured action items to validate connector metadata, quiet-hours semantics, and simulation endpoints once `NOTIFY-SVC-39-001..004` merge.
- Alerted Notifications Service Guild that documentation handoff is pending those feature drops; ready to iterate as soon as the implementation surfaces schemas.
+- Alerted Notifications Service Guild that documentation handoff is pending those feature drops; ready to iterate as soon as the implementation surfaces schemas.
-
+
-## Follow-ups
+## Follow-ups
- [ ] Review merged notifier correlation/quiet-hours work (`NOTIFY-SVC-39-001..004`) and refresh overview + architecture docs with any new persistence/API details.
+- [ ] Review merged notifier correlation/quiet-hours work (`NOTIFY-SVC-39-001..004`) and refresh overview + architecture docs with any new persistence/API details.
- [ ] Coordinate with DevOps dashboards work (`DEVOPS-NOTIFY-39-002`) to document alert references once metrics names are finalised.
+- [ ] Coordinate with DevOps dashboards work (`DEVOPS-NOTIFY-39-002`) to document alert references once metrics names are finalised.
--- a/docs/implplan/archived/updates/2025-10-29-scheduler-policy-doc-refresh.md
+++ b/docs/implplan/archived/updates/2025-10-29-scheduler-policy-doc-refresh.md
--- a/docs/implplan/archived/updates/2025-10-30-devops-governance.md
+++ b/docs/implplan/archived/updates/2025-10-30-devops-governance.md
--- a/docs/implplan/archived/updates/2025-10-31-console-security-refresh.md
+++ b/docs/implplan/archived/updates/2025-10-31-console-security-refresh.md
@@ -1,12 +1,12 @@
-# 2025-10-31 — Console Security Docs Refresh
+# 2025-10-31 — Console Security Docs Refresh
-
+
-## Summary
+## Summary
- Documented the new Authority `/console` endpoints (`/tenants`, `/profile`, `/token/introspect`) including tenant header enforcement, DPoP requirements, and five-minute fresh-auth behaviour.
+- Documented the new Authority `/console` endpoints (`/tenants`, `/profile`, `/token/introspect`) including tenant header enforcement, DPoP requirements, and five-minute fresh-auth behaviour.
- Reduced the default Authority access-token lifetime to 120 seconds to match OpTok guidance and updated tests accordingly.
+- Reduced the default Authority access-token lifetime to 120 seconds to match OpTok guidance and updated tests accordingly.
- Updated Console security guidance to cover the newly issued `orch:read` scope and clarified session inactivity expectations.
+- Updated Console security guidance to cover the newly issued `orch:read` scope and clarified session inactivity expectations.
- Annotated `authority.yaml.sample` and the Authority ops runbook so operators forward `X-Stella-Tenant` and understand fresh-auth prompts.
+- Annotated `authority.yaml.sample` and the Authority ops runbook so operators forward `X-Stella-Tenant` and understand fresh-auth prompts.
-
+
-## Impact
+## Impact
- Console release notes now reference the dedicated `/console` endpoints and their audit identifiers.
+- Console release notes now reference the dedicated `/console` endpoints and their audit identifiers.
- Security Guild can rely on the updated compliance checklist when executing Sprint 23 sign-off.
+- Security Guild can rely on the updated compliance checklist when executing Sprint 23 sign-off.
 - Deployment teams have explicit configuration reminders for tenants and orchestrator dashboard access.
--- a/docs/implplan/archived/updates/2025-10-cleanup.md
+++ b/docs/implplan/archived/updates/2025-10-cleanup.md
--- a/docs/implplan/archived/updates/2025-11-01-orch-admin-scope.md
+++ b/docs/implplan/archived/updates/2025-11-01-orch-admin-scope.md
--- a/docs/implplan/archived/updates/2025-11-02-pack-scope-profiles.md
+++ b/docs/implplan/archived/updates/2025-11-02-pack-scope-profiles.md
--- a/docs/implplan/archived/updates/2025-11-03-authority-plugin-ldap-review.md
+++ b/docs/implplan/archived/updates/2025-11-03-authority-plugin-ldap-review.md
--- a/docs/implplan/archived/updates/2025-11-03-vuln-explorer-access-controls.md
+++ b/docs/implplan/archived/updates/2025-11-03-vuln-explorer-access-controls.md
--- a/docs/implplan/archived/updates/2025-11-05-excitor-consensus-beta.md
+++ b/docs/implplan/archived/updates/2025-11-05-excitor-consensus-beta.md
--- a/docs/implplan/archived/updates/2025-11-07-concelier-advisory-chunks.md
+++ b/docs/implplan/archived/updates/2025-11-07-concelier-advisory-chunks.md
--- a/docs/implplan/archived/updates/2025-11-09-authority-ldap-plugin.md
+++ b/docs/implplan/archived/updates/2025-11-09-authority-ldap-plugin.md
--- a/docs/implplan/archived/updates/2025-11-12-notify-attestation-templates.md
+++ b/docs/implplan/archived/updates/2025-11-12-notify-attestation-templates.md
--- a/docs/implplan/archived/updates/SPRINT_100_identity_signing.md
+++ b/docs/implplan/archived/updates/SPRINT_100_identity_signing.md
--- a/docs/implplan/archived/updates/SPRINT_110_ingestion_evidence_2025-11-13.md
+++ b/docs/implplan/archived/updates/SPRINT_110_ingestion_evidence_2025-11-13.md
--- a/docs/implplan/archived/updates/SPRINT_125_mirror_2025-11-13.md
+++ b/docs/implplan/archived/updates/SPRINT_125_mirror_2025-11-13.md
@@ -15,8 +15,8 @@ MIRROR-CRT-58-001 | TODO | Deliver CLI `stella mirror create|verify` commands wi
 MIRROR-CRT-58-002 | TODO | Integrate with Export Center scheduling to automate mirror bundle creation with audit logs. Dependencies: MIRROR-CRT-56-002, EXPORT-OBS-54-001. | Mirror Creator Guild, Exporter Guild (src/Mirror/StellaOps.Mirror.Creator)
-If all tasks are done - read next sprint section - SPRINT_120_policy_reasoning.md
+If all tasks are done - read next sprint section - SPRINT_0120_0000_0001_policy_reasoning.md
 > 2025-11-04: AIAI-31-004A DONE – WebService/Worker wiring plus filesystem queue operational; metrics/logs added; tests executed via `dotnet test src/AdvisoryAI/__Tests/StellaOps.AdvisoryAI.Tests/StellaOps.AdvisoryAI.Tests.csproj --no-restore`.
-> 2025-11-04: AIAI-31-006 DONE – REST endpoints enforce scope headers, apply rate limits, sanitize prompts through guardrails, and enqueue execution with cached metadata.
+> 2025-11-04: AIAI-31-006 DONE – REST endpoints enforce scope headers, apply rate limits, sanitize prompts through guardrails, and enqueue execution with cached metadata.
--- a/docs/implplan/archived/updates/SPRINT_130_scanner_surface.md
+++ b/docs/implplan/archived/updates/SPRINT_130_scanner_surface.md
--- a/docs/implplan/archived/updates/SPRINT_137_scanner_gap_design.md
+++ b/docs/implplan/archived/updates/SPRINT_137_scanner_gap_design.md
--- a/docs/implplan/archived/updates/SPRINT_300_documentation_process_2025-11-13.md
+++ b/docs/implplan/archived/updates/SPRINT_300_documentation_process_2025-11-13.md
--- a/docs/implplan/archived/updates/SPRINT_301_docs_tasks_md_i_2025-11-13.md
+++ b/docs/implplan/archived/updates/SPRINT_301_docs_tasks_md_i_2025-11-13.md
--- a/docs/implplan/archived/updates/tasks.md
+++ b/docs/implplan/archived/updates/tasks.md
--- a/docs/implplan/tasks-all.md
+++ b/docs/implplan/tasks-all.md
@@ -9,7 +9,7 @@
 | AIRGAP-TIME-CONTRACT-1501 | TODO |  | SPRINT_150_mirror_time | AirGap Time Guild |  | — | — | ATMI0102 |
 | EXPORT-MIRROR-ORCH-1501 | TODO |  | SPRINT_150_mirror_orch | Exporter Guild · CLI Guild |  | — | — | ATMI0102 |
 | AIAI-31-007 | DONE | 2025-11-06 | SPRINT_111_advisoryai | Advisory AI Guild | src/AdvisoryAI/StellaOps.AdvisoryAI | — | — | ADAI0101 |
-| LEDGER-29-006 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild |  | — | — | PLLG0101 |
+| LEDGER-29-006 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild |  | — | — | PLLG0101 |
 | CARTO-GRAPH-21-002 | TODO |  | SPRINT_113_concelier_ii | Cartographer Guild | src/Cartographer/Contracts | ATLN0101 approvals | Task #1 schema freeze | CAGR0101 |
 | SURFACE-FS-01 | TODO |  | SPRINT_136_scanner_surface | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | — | — | SCSS0101 |
 | SURFACE-FS-02 | TODO |  | SPRINT_136_scanner_surface | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | — | — | SCSS0101 |
@@ -32,9 +32,9 @@
 | 24-003 | DOING | 2025-11-09 | SPRINT_140_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | 24-002 + provenance enrichment | 24-002 + provenance enrichment | SGSI0101 |
 | 24-004 | BLOCKED | 2025-10-27 | SPRINT_140_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | Authority scopes + 24-003 | Authority scopes + 24-003 | SGSI0101 |
 | 24-005 | BLOCKED | 2025-10-27 | SPRINT_140_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | 24-004 scoring outputs | 24-004 scoring outputs | SGSI0101 |
-| 29-007 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild · Observability Guild | src/Findings/StellaOps.Findings.Ledger | LEDGER-29-006 | LEDGER-29-006 | PLLG0104 |
+| 29-007 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · Observability Guild | src/Findings/StellaOps.Findings.Ledger | LEDGER-29-006 | LEDGER-29-006 | PLLG0104 |
-| 29-008 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild · QA Guild | src/Findings/StellaOps.Findings.Ledger | 29-007 | LEDGER-29-007 | PLLG0104 |
+| 29-008 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · QA Guild | src/Findings/StellaOps.Findings.Ledger | 29-007 | LEDGER-29-007 | PLLG0104 |
-| 29-009 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild · DevOps Guild | src/Findings/StellaOps.Findings.Ledger | 29-008 | LEDGER-29-008 | PLLG0104 |
+| 29-009 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · DevOps Guild | src/Findings/StellaOps.Findings.Ledger | 29-008 | LEDGER-29-008 | PLLG0104 |
 | 30-001 | TODO |  | SPRINT_129_policy_reasoning | VEX Lens Guild | src/VexLens/StellaOps.VexLens | — | — | PLVL0102 |
 | 30-002 | TODO |  | SPRINT_129_policy_reasoning | VEX Lens Guild | src/VexLens/StellaOps.VexLens | VEXLENS-30-001 | VEXLENS-30-001 | PLVL0102 |
 | 30-003 | TODO |  | SPRINT_129_policy_reasoning | VEX Lens Guild · Issuer Directory Guild | src/VexLens/StellaOps.VexLens | VEXLENS-30-002 | VEXLENS-30-002 | PLVL0102 |
@@ -48,7 +48,7 @@
 | 30-011 | TODO |  | SPRINT_129_policy_reasoning | VEX Lens Guild · DevOps Guild | src/VexLens/StellaOps.VexLens | VEXLENS-30-010 | VEXLENS-30-010 | PLVL0103 |
 | 31-008 | TODO |  | SPRINT_110_ingestion_evidence | Advisory AI Guild | src/AdvisoryAI/StellaOps.AdvisoryAI | AIAI-31-006; AIAI-31-007 | AIAI-31-006; AIAI-31-007 | ADAI0101 |
 | 31-009 | DONE | 2025-11-12 | SPRINT_110_ingestion_evidence | Advisory AI Guild | src/AdvisoryAI/StellaOps.AdvisoryAI | — | — | ADAI0101 |
-| 34-101 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | 29-009 | LEDGER-29-009 | PLLG0104 |
+| 34-101 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | 29-009 | LEDGER-29-009 | PLLG0104 |
 | 401-004 | TODO |  | SPRINT_401_reachability_evidence_chain | Replay Core Guild | `src/__Libraries/StellaOps.Replay.Core` | Signals facts stable (SGSI0101) | Signals facts stable (SGSI0101) | RPRC0101 |
 | 41-001 | TODO |  | SPRINT_157_taskrunner_i | Task Runner Guild | src/TaskRunner/StellaOps.TaskRunner | — | — | ORTR0101 |
 | 44-001 | TODO |  | SPRINT_501_ops_deployment_i | Deployment Guild · DevEx Guild (ops/deployment) | ops/deployment | — | — | DVDO0103 |
@@ -61,7 +61,7 @@
 | 51-002 | TODO |  | SPRINT_170_notifications_telemetry | Telemetry Core Guild · Observability Guild · Security Guild | src/Telemetry/StellaOps.Telemetry.Core | OBS-50 baselines | OBS-50 baselines | TLTY0101 |
 | 54-001 | TODO |  | SPRINT_110_ingestion_evidence | Exporter Guild · AirGap Time Guild · CLI Guild |  | Await PGMI0101 staffing confirmation | PROGRAM-STAFF-1001 | AGCO0101 |
 | 56-001 | TODO |  | SPRINT_170_notifications_telemetry | Telemetry Core Guild · Observability Guild | src/Telemetry/StellaOps.Telemetry.Core | SGSI0101 provenance | SGSI0101 provenance | TLTY0101 |
-| 58 series | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | src/Findings/StellaOps.Findings.Ledger |  |  | PLLG0102 |
+| 58 series | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | src/Findings/StellaOps.Findings.Ledger |  |  | PLLG0102 |
 | 61-001 | TODO |  | SPRINT_511_api | API Governance Guild | src/Api/StellaOps.Api.Governance | — | — | APIG0101 |
 | 61-002 | TODO |  | SPRINT_511_api | API Governance Guild | src/Api/StellaOps.Api.Governance | 61-001 | 61-001 | APIG0101 |
 | 62-001 | TODO |  | SPRINT_206_devportal | DevPortal Guild | src/DevPortal/StellaOps.DevPortal.Site | APIG0101 outputs | APIG0101 outputs | DEVL0101 |
@@ -940,14 +940,14 @@
 | EXCITITOR-AIAI-31-003 | TODO |  | SPRINT_110_ingestion_evidence | Excititor Observability Guild |  | Telemetry/guardrail metrics follow chunk API. | EXCITITOR-AIAI-31-002 | EXAI0101 |
 | EXCITITOR-AIAI-31-004 | TODO |  | SPRINT_110_ingestion_evidence | Docs Guild · Excititor Guild |  | Docs/OpenAPI alignment queued behind chunk API finalisation. | EXCITITOR-AIAI-31-002 | EXAI0101 |
 | EXCITITOR-AIRGAP-56 | TODO |  | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds |  | Air-gap + connector parity depend on schema + attestation readiness. | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXAG0101 |
-| EXCITITOR-AIRGAP-56-001 | TODO |  | SPRINT_119_excititor_i | Excititor Core Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Wire mirror bundle ingestion paths that preserve upstream digests, bundle IDs, and provenance metadata exactly so offline Advisory-AI/Lens deployments can replay evidence with AOC parity. | EXCITITOR-AIRGAP-56 | EXAG0101 |
+| EXCITITOR-AIRGAP-56-001 | TODO |  | SPRINT_0119_0001_0001_excititor_i | Excititor Core Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Wire mirror bundle ingestion paths that preserve upstream digests, bundle IDs, and provenance metadata exactly so offline Advisory-AI/Lens deployments can replay evidence with AOC parity. | EXCITITOR-AIRGAP-56 | EXAG0101 |
 | EXCITITOR-AIRGAP-57 | TODO |  | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds |  | Same as -56 plus Evidence Locker | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXAG0101 |
-| EXCITITOR-AIRGAP-57-001 | TODO |  | SPRINT_119_excititor_i | Excititor AirGap Policy Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Enforce sealed-mode policies that disable external connectors, emit actionable remediation errors, and record staleness annotations that Advisory AI can surface as “evidence freshness” signals. Depends on EXCITITOR-AIRGAP-56-001. | EXCITITOR-AIRGAP-57 | EXAG0101 |
+| EXCITITOR-AIRGAP-57-001 | TODO |  | SPRINT_0119_0001_0001_excititor_i | Excititor AirGap Policy Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Enforce sealed-mode policies that disable external connectors, emit actionable remediation errors, and record staleness annotations that Advisory AI can surface as “evidence freshness” signals. Depends on EXCITITOR-AIRGAP-56-001. | EXCITITOR-AIRGAP-57 | EXAG0101 |
 | EXCITITOR-AIRGAP-58 | TODO |  | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds |  | Same upstream | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXAG0101 |
-| EXCITITOR-AIRGAP-58-001 | TODO |  | SPRINT_119_excititor_i | Excititor Core + Evidence Locker Guilds | src/Excititor/__Libraries/StellaOps.Excititor.Core | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events so Advisory AI can hydrate contexts in sealed environments. Depends on EXCITITOR-AIRGAP-57-001. | EXCITITOR-AIRGAP-58 | EXAG0101 |
+| EXCITITOR-AIRGAP-58-001 | TODO |  | SPRINT_0119_0001_0001_excititor_i | Excititor Core + Evidence Locker Guilds | src/Excititor/__Libraries/StellaOps.Excititor.Core | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events so Advisory AI can hydrate contexts in sealed environments. Depends on EXCITITOR-AIRGAP-57-001. | EXCITITOR-AIRGAP-58 | EXAG0101 |
 | EXCITITOR-ATTEST-01-003 | TODO |  | SPRINT_110_ingestion_evidence | Excititor Guild |  | Attestation payload ordering awaiting sequencing session. | EXCITITOR-AIAI-31-002; ELOCKER-CONTRACT-2001 | EXAT0101 |
-| EXCITITOR-ATTEST-73-001 | TODO |  | SPRINT_119_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Emit attestation payloads that capture supplier identity, justification summary, and scope metadata so downstream Lens/Policy jobs can chain trust without Excititor interpreting the evidence. Depends on EXCITITOR-ATTEST-01-003. | EXCITITOR-ATTEST-01-003 | EXAT0101 |
+| EXCITITOR-ATTEST-73-001 | TODO |  | SPRINT_0119_0001_0001_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Emit attestation payloads that capture supplier identity, justification summary, and scope metadata so downstream Lens/Policy jobs can chain trust without Excititor interpreting the evidence. Depends on EXCITITOR-ATTEST-01-003. | EXCITITOR-ATTEST-01-003 | EXAT0101 |
-| EXCITITOR-ATTEST-73-002 | TODO |  | SPRINT_119_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Provide APIs that link attestation IDs back to observation/linkset/product tuples, enabling Advisory AI to cite provenance without any derived verdict. Depends on EXCITITOR-ATTEST-73-001. | EXCITITOR-ATTEST-73-001 | EXAT0101 |
+| EXCITITOR-ATTEST-73-002 | TODO |  | SPRINT_0119_0001_0001_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Provide APIs that link attestation IDs back to observation/linkset/product tuples, enabling Advisory AI to cite provenance without any derived verdict. Depends on EXCITITOR-ATTEST-73-001. | EXCITITOR-ATTEST-73-001 | EXAT0101 |
 | EXCITITOR-CONN-SUSE-01-003 | TODO |  | SPRINT_120_excititor_ii | Excititor Guild (SUSE connector) | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub | DONE (2025-11-09) – Emit provider trust configuration (signer fingerprints, trust tier notes) into the raw provenance envelope so downstream VEX Lens/Policy components can weigh issuers. Connector must not apply weighting or consensus inside ingestion. | EXCITITOR-CONN-SUSE-01-002; EXCITITOR-POLICY-01-001 | EXCN0101 |
 | EXCITITOR-CONN-TRUST-01-001 | TODO |  | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds |  | ATTEST-PLAN-2001 | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXCN0101 |
 | EXCITITOR-CONN-UBUNTU-01-003 | TODO |  | SPRINT_120_excititor_ii | Excititor Guild (Ubuntu connector) | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF | DONE (2025-11-09) – Emit Ubuntu signing metadata (GPG fingerprints, issuer trust tier) inside raw provenance artifacts so downstream Policy/VEX Lens consumers can weigh issuers. Connector must remain aggregation-only with no inline weighting. | EXCITITOR-CONN-UBUNTU-01-002 | EXCN0101 |
@@ -1143,17 +1143,17 @@
 | KMS-73-001 | DONE (2025-11-03) | 2025-11-03 | SPRINT_100_identity_signing | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) | src/__Libraries/StellaOps.Cryptography.Kms | AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. | AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. | KMSI0102 |
 | KMS-73-002 | DONE (2025-11-03) | 2025-11-03 | SPRINT_100_identity_signing | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) | src/__Libraries/StellaOps.Cryptography.Kms | PKCS#11 + FIDO2 drivers shipped (deterministic digesting, authenticator factories, DI extensions) with docs + xUnit fakes covering sign/verify/export flows. | FIDO2 | KMSI0102 |
 | LATTICE-401-023 | TODO |  | SPRINT_401_reachability_evidence_chain | Scanner Guild · Policy Guild | `docs/reachability/lattice.md`, `docs/modules/scanner/architecture.md`, `src/Scanner/StellaOps.Scanner.WebService` | Update reachability/lattice docs + examples. | GRSC0101 & RBRE0101 | LEDG0101 |
-| LEDGER-29-007 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild (`src/Findings/StellaOps.Findings.Ledger`) | src/Findings/StellaOps.Findings.Ledger | Instrument metrics | LEDGER-29-006 | PLLG0101 |
+| LEDGER-29-007 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild (`src/Findings/StellaOps.Findings.Ledger`) | src/Findings/StellaOps.Findings.Ledger | Instrument metrics | LEDGER-29-006 | PLLG0101 |
-| LEDGER-29-008 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger + QA Guild | src/Findings/StellaOps.Findings.Ledger | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant | LEDGER-29-007 | PLLG0101 |
+| LEDGER-29-008 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + QA Guild | src/Findings/StellaOps.Findings.Ledger | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant | LEDGER-29-007 | PLLG0101 |
-| LEDGER-29-009 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger + DevOps Guild | src/Findings/StellaOps.Findings.Ledger | Provide deployment manifests | LEDGER-29-008 | PLLG0101 |
+| LEDGER-29-009 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + DevOps Guild | src/Findings/StellaOps.Findings.Ledger | Provide deployment manifests | LEDGER-29-008 | PLLG0101 |
-| LEDGER-34-101 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries | LEDGER-29-009 | PLLG0101 |
+| LEDGER-34-101 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries | LEDGER-29-009 | PLLG0101 |
-| LEDGER-AIRGAP-56 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger + AirGap Guilds |  | AirGap ledger schema. | PLLG0102 | PLLG0102 |
+| LEDGER-AIRGAP-56 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + AirGap Guilds |  | AirGap ledger schema. | PLLG0102 | PLLG0102 |
-| LEDGER-AIRGAP-56-001 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles | LEDGER-AIRGAP-56 | PLLG0102 |
+| LEDGER-AIRGAP-56-001 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles | LEDGER-AIRGAP-56 | PLLG0102 |
-| LEDGER-AIRGAP-56-002 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger + AirGap Time Guild | src/Findings/StellaOps.Findings.Ledger | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging | LEDGER-AIRGAP-56-001 | PLLG0102 |
+| LEDGER-AIRGAP-56-002 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + AirGap Time Guild | src/Findings/StellaOps.Findings.Ledger | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging | LEDGER-AIRGAP-56-001 | PLLG0102 |
-| LEDGER-AIRGAP-57 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild |  | — | — | PLLG0102 |
+| LEDGER-AIRGAP-57 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild |  | — | — | PLLG0102 |
-| LEDGER-AIRGAP-57-001 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild, Evidence Locker Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works | LEDGER-AIRGAP-56-002 | PLLG0102 |
+| LEDGER-AIRGAP-57-001 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild, Evidence Locker Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works | LEDGER-AIRGAP-56-002 | PLLG0102 |
-| LEDGER-AIRGAP-58-001 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild, AirGap Controller Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Emit timeline events for bundle import impacts | LEDGER-AIRGAP-57-001 | PLLG0102 |
+| LEDGER-AIRGAP-58-001 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild, AirGap Controller Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Emit timeline events for bundle import impacts | LEDGER-AIRGAP-57-001 | PLLG0102 |
-| LEDGER-ATTEST-73-001 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild, Attestor Service Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Persist pointers from findings to verification reports and attestation envelopes for explainability | — | PLLG0102 |
+| LEDGER-ATTEST-73-001 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild, Attestor Service Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Persist pointers from findings to verification reports and attestation envelopes for explainability | — | PLLG0102 |
 | LEDGER-ATTEST-73-002 | TODO |  | SPRINT_121_policy_reasoning | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Enable search/filter in findings projections by verification result and attestation status | LEDGER-ATTEST-73-001 | PLLG0102 |
 | LEDGER-EXPORT-35-001 | TODO |  | SPRINT_121_policy_reasoning | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings aligned with export filters, including deterministic ordering and provenance metadata | — | PLLG0101 |
 | LEDGER-OAS-61-001 | TODO |  | SPRINT_121_policy_reasoning | Findings Ledger Guild, API Contracts Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Expand Findings Ledger OAS to include projections, evidence lookups, and filter parameters with examples | — | PLLG0101 |
@@ -2228,7 +2228,7 @@
 | AIRGAP-TIME-CONTRACT-1501 | TODO |  | SPRINT_150_mirror_time | AirGap Time Guild |  | — | — | ATMI0102 |
 | EXPORT-MIRROR-ORCH-1501 | TODO |  | SPRINT_150_mirror_orch | Exporter Guild · CLI Guild |  | — | — | ATMI0102 |
 | AIAI-31-007 | DONE | 2025-11-06 | SPRINT_111_advisoryai | Advisory AI Guild | src/AdvisoryAI/StellaOps.AdvisoryAI | — | — | ADAI0101 |
-| LEDGER-29-006 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild |  | — | — | PLLG0101 |
+| LEDGER-29-006 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild |  | — | — | PLLG0101 |
 | CARTO-GRAPH-21-002 | TODO |  | SPRINT_113_concelier_ii | Cartographer Guild | src/Cartographer/Contracts | ATLN0101 approvals | Task #1 schema freeze | CAGR0101 |
 | SURFACE-FS-01 | TODO |  | SPRINT_136_scanner_surface | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | — | — | SCSS0101 |
 | SURFACE-FS-02 | TODO |  | SPRINT_136_scanner_surface | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | — | — | SCSS0101 |
@@ -2251,9 +2251,9 @@
 | 24-003 | DOING | 2025-11-09 | SPRINT_140_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | 24-002 + provenance enrichment | 24-002 + provenance enrichment | SGSI0101 |
 | 24-004 | BLOCKED | 2025-10-27 | SPRINT_140_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | Authority scopes + 24-003 | Authority scopes + 24-003 | SGSI0101 |
 | 24-005 | BLOCKED | 2025-10-27 | SPRINT_140_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | 24-004 scoring outputs | 24-004 scoring outputs | SGSI0101 |
-| 29-007 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild · Observability Guild | src/Findings/StellaOps.Findings.Ledger | LEDGER-29-006 | LEDGER-29-006 | PLLG0104 |
+| 29-007 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · Observability Guild | src/Findings/StellaOps.Findings.Ledger | LEDGER-29-006 | LEDGER-29-006 | PLLG0104 |
-| 29-008 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild · QA Guild | src/Findings/StellaOps.Findings.Ledger | 29-007 | LEDGER-29-007 | PLLG0104 |
+| 29-008 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · QA Guild | src/Findings/StellaOps.Findings.Ledger | 29-007 | LEDGER-29-007 | PLLG0104 |
-| 29-009 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild · DevOps Guild | src/Findings/StellaOps.Findings.Ledger | 29-008 | LEDGER-29-008 | PLLG0104 |
+| 29-009 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · DevOps Guild | src/Findings/StellaOps.Findings.Ledger | 29-008 | LEDGER-29-008 | PLLG0104 |
 | 30-001 | TODO |  | SPRINT_129_policy_reasoning | VEX Lens Guild | src/VexLens/StellaOps.VexLens | — | — | PLVL0102 |
 | 30-002 | TODO |  | SPRINT_129_policy_reasoning | VEX Lens Guild | src/VexLens/StellaOps.VexLens | VEXLENS-30-001 | VEXLENS-30-001 | PLVL0102 |
 | 30-003 | TODO |  | SPRINT_129_policy_reasoning | VEX Lens Guild · Issuer Directory Guild | src/VexLens/StellaOps.VexLens | VEXLENS-30-002 | VEXLENS-30-002 | PLVL0102 |
@@ -2267,7 +2267,7 @@
 | 30-011 | TODO |  | SPRINT_129_policy_reasoning | VEX Lens Guild · DevOps Guild | src/VexLens/StellaOps.VexLens | VEXLENS-30-010 | VEXLENS-30-010 | PLVL0103 |
 | 31-008 | TODO |  | SPRINT_110_ingestion_evidence | Advisory AI Guild | src/AdvisoryAI/StellaOps.AdvisoryAI | AIAI-31-006; AIAI-31-007 | AIAI-31-006; AIAI-31-007 | ADAI0101 |
 | 31-009 | DONE | 2025-11-12 | SPRINT_110_ingestion_evidence | Advisory AI Guild | src/AdvisoryAI/StellaOps.AdvisoryAI | — | — | ADAI0101 |
-| 34-101 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | 29-009 | LEDGER-29-009 | PLLG0104 |
+| 34-101 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | 29-009 | LEDGER-29-009 | PLLG0104 |
 | 401-004 | TODO |  | SPRINT_401_reachability_evidence_chain | Replay Core Guild | `src/__Libraries/StellaOps.Replay.Core` | Signals facts stable (SGSI0101) | Signals facts stable (SGSI0101) | RPRC0101 |
 | 41-001 | TODO |  | SPRINT_157_taskrunner_i | Task Runner Guild | src/TaskRunner/StellaOps.TaskRunner | — | — | ORTR0101 |
 | 44-001 | TODO |  | SPRINT_501_ops_deployment_i | Deployment Guild · DevEx Guild (ops/deployment) | ops/deployment | — | — | DVDO0103 |
@@ -2280,7 +2280,7 @@
 | 51-002 | TODO |  | SPRINT_170_notifications_telemetry | Telemetry Core Guild · Observability Guild · Security Guild | src/Telemetry/StellaOps.Telemetry.Core | OBS-50 baselines | OBS-50 baselines | TLTY0101 |
 | 54-001 | TODO |  | SPRINT_110_ingestion_evidence | Exporter Guild · AirGap Time Guild · CLI Guild |  | Await PGMI0101 staffing confirmation | PROGRAM-STAFF-1001 | AGCO0101 |
 | 56-001 | TODO |  | SPRINT_170_notifications_telemetry | Telemetry Core Guild · Observability Guild | src/Telemetry/StellaOps.Telemetry.Core | SGSI0101 provenance | SGSI0101 provenance | TLTY0101 |
-| 58 series | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | src/Findings/StellaOps.Findings.Ledger |  |  | PLLG0102 |
+| 58 series | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | src/Findings/StellaOps.Findings.Ledger |  |  | PLLG0102 |
 | 61-001 | TODO |  | SPRINT_511_api | API Governance Guild | src/Api/StellaOps.Api.Governance | — | — | APIG0101 |
 | 61-002 | TODO |  | SPRINT_511_api | API Governance Guild | src/Api/StellaOps.Api.Governance | 61-001 | 61-001 | APIG0101 |
 | 62-001 | TODO |  | SPRINT_206_devportal | DevPortal Guild | src/DevPortal/StellaOps.DevPortal.Site | APIG0101 outputs | APIG0101 outputs | DEVL0101 |
@@ -3161,14 +3161,14 @@
 | EXCITITOR-AIAI-31-003 | TODO |  | SPRINT_110_ingestion_evidence | Excititor Observability Guild |  | Telemetry/guardrail metrics follow chunk API. | EXCITITOR-AIAI-31-002 | EXAI0101 |
 | EXCITITOR-AIAI-31-004 | TODO |  | SPRINT_110_ingestion_evidence | Docs Guild · Excititor Guild |  | Docs/OpenAPI alignment queued behind chunk API finalisation. | EXCITITOR-AIAI-31-002 | EXAI0101 |
 | EXCITITOR-AIRGAP-56 | TODO |  | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds |  | Air-gap + connector parity depend on schema + attestation readiness. | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXAG0101 |
-| EXCITITOR-AIRGAP-56-001 | TODO |  | SPRINT_119_excititor_i | Excititor Core Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Wire mirror bundle ingestion paths that preserve upstream digests, bundle IDs, and provenance metadata exactly so offline Advisory-AI/Lens deployments can replay evidence with AOC parity. | EXCITITOR-AIRGAP-56 | EXAG0101 |
+| EXCITITOR-AIRGAP-56-001 | TODO |  | SPRINT_0119_0001_0001_excititor_i | Excititor Core Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Wire mirror bundle ingestion paths that preserve upstream digests, bundle IDs, and provenance metadata exactly so offline Advisory-AI/Lens deployments can replay evidence with AOC parity. | EXCITITOR-AIRGAP-56 | EXAG0101 |
 | EXCITITOR-AIRGAP-57 | TODO |  | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds |  | Same as -56 plus Evidence Locker | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXAG0101 |
-| EXCITITOR-AIRGAP-57-001 | TODO |  | SPRINT_119_excititor_i | Excititor AirGap Policy Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Enforce sealed-mode policies that disable external connectors, emit actionable remediation errors, and record staleness annotations that Advisory AI can surface as “evidence freshness” signals. Depends on EXCITITOR-AIRGAP-56-001. | EXCITITOR-AIRGAP-57 | EXAG0101 |
+| EXCITITOR-AIRGAP-57-001 | TODO |  | SPRINT_0119_0001_0001_excititor_i | Excititor AirGap Policy Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Enforce sealed-mode policies that disable external connectors, emit actionable remediation errors, and record staleness annotations that Advisory AI can surface as “evidence freshness” signals. Depends on EXCITITOR-AIRGAP-56-001. | EXCITITOR-AIRGAP-57 | EXAG0101 |
 | EXCITITOR-AIRGAP-58 | TODO |  | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds |  | Same upstream | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXAG0101 |
-| EXCITITOR-AIRGAP-58-001 | TODO |  | SPRINT_119_excititor_i | Excititor Core + Evidence Locker Guilds | src/Excititor/__Libraries/StellaOps.Excititor.Core | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events so Advisory AI can hydrate contexts in sealed environments. Depends on EXCITITOR-AIRGAP-57-001. | EXCITITOR-AIRGAP-58 | EXAG0101 |
+| EXCITITOR-AIRGAP-58-001 | TODO |  | SPRINT_0119_0001_0001_excititor_i | Excititor Core + Evidence Locker Guilds | src/Excititor/__Libraries/StellaOps.Excititor.Core | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events so Advisory AI can hydrate contexts in sealed environments. Depends on EXCITITOR-AIRGAP-57-001. | EXCITITOR-AIRGAP-58 | EXAG0101 |
 | EXCITITOR-ATTEST-01-003 | TODO |  | SPRINT_110_ingestion_evidence | Excititor Guild |  | Attestation payload ordering awaiting sequencing session. | EXCITITOR-AIAI-31-002; ELOCKER-CONTRACT-2001 | EXAT0101 |
-| EXCITITOR-ATTEST-73-001 | TODO |  | SPRINT_119_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Emit attestation payloads that capture supplier identity, justification summary, and scope metadata so downstream Lens/Policy jobs can chain trust without Excititor interpreting the evidence. Depends on EXCITITOR-ATTEST-01-003. | EXCITITOR-ATTEST-01-003 | EXAT0101 |
+| EXCITITOR-ATTEST-73-001 | TODO |  | SPRINT_0119_0001_0001_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Emit attestation payloads that capture supplier identity, justification summary, and scope metadata so downstream Lens/Policy jobs can chain trust without Excititor interpreting the evidence. Depends on EXCITITOR-ATTEST-01-003. | EXCITITOR-ATTEST-01-003 | EXAT0101 |
-| EXCITITOR-ATTEST-73-002 | TODO |  | SPRINT_119_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Provide APIs that link attestation IDs back to observation/linkset/product tuples, enabling Advisory AI to cite provenance without any derived verdict. Depends on EXCITITOR-ATTEST-73-001. | EXCITITOR-ATTEST-73-001 | EXAT0101 |
+| EXCITITOR-ATTEST-73-002 | TODO |  | SPRINT_0119_0001_0001_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Provide APIs that link attestation IDs back to observation/linkset/product tuples, enabling Advisory AI to cite provenance without any derived verdict. Depends on EXCITITOR-ATTEST-73-001. | EXCITITOR-ATTEST-73-001 | EXAT0101 |
 | EXCITITOR-CONN-SUSE-01-003 | TODO |  | SPRINT_120_excititor_ii | Excititor Guild (SUSE connector) | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub | DONE (2025-11-09) – Emit provider trust configuration (signer fingerprints, trust tier notes) into the raw provenance envelope so downstream VEX Lens/Policy components can weigh issuers. Connector must not apply weighting or consensus inside ingestion. | EXCITITOR-CONN-SUSE-01-002; EXCITITOR-POLICY-01-001 | EXCN0101 |
 | EXCITITOR-CONN-TRUST-01-001 | TODO |  | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds |  | ATTEST-PLAN-2001 | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXCN0101 |
 | EXCITITOR-CONN-UBUNTU-01-003 | TODO |  | SPRINT_120_excititor_ii | Excititor Guild (Ubuntu connector) | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF | DONE (2025-11-09) – Emit Ubuntu signing metadata (GPG fingerprints, issuer trust tier) inside raw provenance artifacts so downstream Policy/VEX Lens consumers can weigh issuers. Connector must remain aggregation-only with no inline weighting. | EXCITITOR-CONN-UBUNTU-01-002 | EXCN0101 |
@@ -3364,17 +3364,17 @@
 | KMS-73-001 | DONE (2025-11-03) | 2025-11-03 | SPRINT_100_identity_signing | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) | src/__Libraries/StellaOps.Cryptography.Kms | AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. | AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. | KMSI0102 |
 | KMS-73-002 | DONE (2025-11-03) | 2025-11-03 | SPRINT_100_identity_signing | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) | src/__Libraries/StellaOps.Cryptography.Kms | PKCS#11 + FIDO2 drivers shipped (deterministic digesting, authenticator factories, DI extensions) with docs + xUnit fakes covering sign/verify/export flows. | FIDO2 | KMSI0102 |
 | LATTICE-401-023 | TODO |  | SPRINT_401_reachability_evidence_chain | Scanner Guild · Policy Guild | `docs/reachability/lattice.md`, `docs/modules/scanner/architecture.md`, `src/Scanner/StellaOps.Scanner.WebService` | Update reachability/lattice docs + examples. | GRSC0101 & RBRE0101 | LEDG0101 |
-| LEDGER-29-007 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild (`src/Findings/StellaOps.Findings.Ledger`) | src/Findings/StellaOps.Findings.Ledger | Instrument metrics | LEDGER-29-006 | PLLG0101 |
+| LEDGER-29-007 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild (`src/Findings/StellaOps.Findings.Ledger`) | src/Findings/StellaOps.Findings.Ledger | Instrument metrics | LEDGER-29-006 | PLLG0101 |
-| LEDGER-29-008 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger + QA Guild | src/Findings/StellaOps.Findings.Ledger | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant | LEDGER-29-007 | PLLG0101 |
+| LEDGER-29-008 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + QA Guild | src/Findings/StellaOps.Findings.Ledger | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant | LEDGER-29-007 | PLLG0101 |
-| LEDGER-29-009 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger + DevOps Guild | src/Findings/StellaOps.Findings.Ledger | Provide deployment manifests | LEDGER-29-008 | PLLG0101 |
+| LEDGER-29-009 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + DevOps Guild | src/Findings/StellaOps.Findings.Ledger | Provide deployment manifests | LEDGER-29-008 | PLLG0101 |
-| LEDGER-34-101 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries | LEDGER-29-009 | PLLG0101 |
+| LEDGER-34-101 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries | LEDGER-29-009 | PLLG0101 |
-| LEDGER-AIRGAP-56 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger + AirGap Guilds |  | AirGap ledger schema. | PLLG0102 | PLLG0102 |
+| LEDGER-AIRGAP-56 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + AirGap Guilds |  | AirGap ledger schema. | PLLG0102 | PLLG0102 |
-| LEDGER-AIRGAP-56-001 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles | LEDGER-AIRGAP-56 | PLLG0102 |
+| LEDGER-AIRGAP-56-001 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles | LEDGER-AIRGAP-56 | PLLG0102 |
-| LEDGER-AIRGAP-56-002 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger + AirGap Time Guild | src/Findings/StellaOps.Findings.Ledger | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging | LEDGER-AIRGAP-56-001 | PLLG0102 |
+| LEDGER-AIRGAP-56-002 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + AirGap Time Guild | src/Findings/StellaOps.Findings.Ledger | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging | LEDGER-AIRGAP-56-001 | PLLG0102 |
-| LEDGER-AIRGAP-57 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild |  | — | — | PLLG0102 |
+| LEDGER-AIRGAP-57 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild |  | — | — | PLLG0102 |
-| LEDGER-AIRGAP-57-001 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild, Evidence Locker Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works | LEDGER-AIRGAP-56-002 | PLLG0102 |
+| LEDGER-AIRGAP-57-001 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild, Evidence Locker Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works | LEDGER-AIRGAP-56-002 | PLLG0102 |
-| LEDGER-AIRGAP-58-001 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild, AirGap Controller Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Emit timeline events for bundle import impacts | LEDGER-AIRGAP-57-001 | PLLG0102 |
+| LEDGER-AIRGAP-58-001 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild, AirGap Controller Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Emit timeline events for bundle import impacts | LEDGER-AIRGAP-57-001 | PLLG0102 |
-| LEDGER-ATTEST-73-001 | TODO |  | SPRINT_120_policy_reasoning | Findings Ledger Guild, Attestor Service Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Persist pointers from findings to verification reports and attestation envelopes for explainability | — | PLLG0102 |
+| LEDGER-ATTEST-73-001 | TODO |  | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild, Attestor Service Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Persist pointers from findings to verification reports and attestation envelopes for explainability | — | PLLG0102 |
 | LEDGER-ATTEST-73-002 | TODO |  | SPRINT_121_policy_reasoning | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Enable search/filter in findings projections by verification result and attestation status | LEDGER-ATTEST-73-001 | PLLG0102 |
 | LEDGER-EXPORT-35-001 | TODO |  | SPRINT_121_policy_reasoning | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings aligned with export filters, including deterministic ordering and provenance metadata | — | PLLG0101 |
 | LEDGER-OAS-61-001 | TODO |  | SPRINT_121_policy_reasoning | Findings Ledger Guild, API Contracts Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Expand Findings Ledger OAS to include projections, evidence lookups, and filter parameters with examples | — | PLLG0101 |
--- a/docs/product-advisories/15-Nov-2026
+++ b/docs/product-advisories/15-Nov-2026
@@ -0,0 +1,133 @@
 Here’s a compact, practical way to think about **embedding in‑toto provenance attestations directly inside your event payloads** (instead of sidecar files), so your vuln/build graph stays temporally consistent.
 ---
 ### Why embed?
 * **Atomicity:** build → publish → scan → VEX decisions share one event ID and clock; no dangling sidecars.
 * **Replayability:** the event stream alone reproduces state (great for offline kits/audits).
 * **Causal joins:** vulnerability findings can cite the exact provenance that led to an image/digest.
 ---
 ### Event shape (single, self‑contained envelope)
 ```json
 {
  "eventId": "01JDN2Q0YB8M…",
  "eventType": "build.provenance.v1",
  "occurredAt": "2025-11-13T10:22:31Z",
  "subject": {
    "artifactPurl": "pkg:docker/acme/api@sha256:…",
    "digest": {"sha256": "…"}
  },
  "provenance": {
    "kind": "in-toto-provenance",
    "dsse": {
      "payloadType": "application/vnd.in-toto+json",
      "payload": "<base64(in-toto Statement)>",
      "signatures": [{"keyid":"…","sig":"…"}]
    },
    "transparency": {
      "rekor": {"logIndex": 123456, "logID": "…", "entryUUID": "…"}
    }
  },
  "sig": {
    "envelope": "dsse",
    "alg": "Ed25519", 
    "bundle": { "certChain": ["…"], "timestamp": "…" }
  },
  "meta": {
    "builderId": "https://builder.stella-ops.local/gha",
    "buildInvocationId": "gha-run-457812",
    "slsa": {"level": 3}
  }
 }
 ```
 **Notes**
 * `provenance.dsse.payload` holds the raw in‑toto Statement (Statement + Subject + Predicate).
 * Keep both **artifact digest** (subject) and **statement subject** (inside payload) and verify they match on ingest.
 ---
 ### DB model (Mongo-esque)
 * `events` collection: one doc per event (above schema).
 * **Compound index:** `{ "subject.digest.sha256": 1, "occurredAt": 1 }`
 * **Causal index:** `{ "meta.buildInvocationId": 1 }`
 * **Uniq guard:** `{ "eventId": 1 } unique`
 ---
 ### Ingest pipeline (deterministic)
 1. **Verify DSSE:** check signature, cert roots (or offline trust bundle).
 2. **Validate Statement:** subject digests, builder ID, predicateType.
 3. **Upsert artifact node:** keyed by digest; attach `lastProvenanceEventId`.
 4. **Append event:** write once; never mutate (event‑sourced).
 5. **Emit derived edges:** `(builderId) --built--> (artifact@digest)` with `occurredAt`.
 ---
 ### Joining scans to provenance (temporal consistency)
 * When a scan event arrives, resolve the **latest provenance event with `occurredAt ≤ scan.occurredAt`** for the same digest.
 * Store an edge `(artifact@digest) --scannedWith--> (scanner@version)` with a **pointer to the provenance eventId** used for policy.
 ---
 ### Minimal .NET 10 contracts
 ```csharp
 public sealed record DsseEnvelope(string PayloadType, string Payload, IReadOnlyList<DsseSig> Signatures);
 public sealed record Provenance(string Kind, DsseEnvelope Dsse, Transparency? Transparency);
 public sealed record EventSubject(string ArtifactPurl, Digest Digest);
 public sealed record EventEnvelope(
    string EventId, string EventType, DateTime OccurredAt,
    EventSubject Subject, Provenance Provenance, SigMeta Sig, Meta Meta);
 public interface IEventVerifier {
    ValueTask VerifyAsync(EventEnvelope ev, CancellationToken ct);
 }
 public interface IEventIngestor {
    ValueTask IngestAsync(EventEnvelope ev, CancellationToken ct); // verify->validate->append->derive
 }
 ```
 ---
 ### Policy hooks (VEX/Trust Algebra)
 * **Rule:** “Only trust findings if the scan’s referenced provenance has `builderId ∈ AllowedBuilders` and `SLSA ≥ 3` and `time(scan) − time(prov) ≤ 24h`.”
 * **Effect:** drops stale/forged results and aligns all scoring to one timeline.
 ---
 ### Migration from sidecars
 1. **Dual‑write** for one sprint: keep emitting sidecars, but also embed DSSE in events.
 2. Add **backfill job**: wraps historical sidecars into `build.provenance.v1` events (preserve original timestamps).
 3. Flip **consumers** (scoring/VEX) to **require `provenance` in the event**; keep sidecar reader only for legacy imports.
 ---
 ### Failure & edge cases
 * **Oversized payloads:** gzip the DSSE payload; cap event body (e.g., 512 KB) and store overflow in `provenance.ref` (content‑addressed blob) while **hash‑linking** it in the event.
 * **Multiple subjects:** keep the Statement intact; still key the event by the **primary digest** you care about, but validate all subjects.
 ---
 ### Quick checklist to ship
 * [ ] Event schema & JSON schema with strict types (no additionalProperties).
 * [ ] DSSE + in‑toto validators (offline trust bundles supported).
 * [ ] Mongo indexes + append‑only writer.
 * [ ] Temporal join in scanner consumer (≤ O(log n) via index).
 * [ ] VEX rules referencing `event.meta` & `provenance.dsse`.
 * [ ] Backfill task for legacy sidecars.
 * [ ] Replay test: rebuild graph from events only → identical results.
 If you want, I can turn this into ready‑to‑drop **.proto + C# models**, plus a Mongo migration script and a tiny verifier service.
--- a/docs/product-advisories/15-Nov-2026
+++ b/docs/product-advisories/15-Nov-2026
@@ -0,0 +1,103 @@
 Here’s a tight idea I think you’ll like: **make every VEX “non‑affected” verdict explain itself with provable, symbol‑level evidence**—not just “package X isn’t reachable,” but “function `Foo::bar()` (the vulnerable sink) is never called in any admissible execution of image Y,” backed by cryptographic provenance.
 ---
 # Why this matters (quickly)
 * **Trust**: Auditors and customers can verify why you suppressed a CVE.
 * **Quiet scanner**: Fewer false alarms because decisions cite concrete call‑paths (or their absence).
 * **Moat**: Competitors stop at file/package reachability; you show **function‑level** proof tied to in‑toto attestations.
 ---
 # Core concept (plain)
 Blend two things:
 1. **Deterministic symbol reachability** (per language): build minimal call graphs and mark whether the vulnerable symbol is callable from your app’s entrypoints.
 2. **in‑toto‑anchored provenance**: sign the *inputs and reasoning* (rules, SBOM slice, call‑graph hash, evidence artifacts), so the verdict can be independently re‑verified.
 Result: each VEX decision is a **verifiable mini‑proof**.
 ---
 # What the evidence looks like (per CVE/component)
 * **Symbol set**: canonical IDs of vulnerable functions (e.g., `pkg@ver#Type::Method(sig)`).
 * **Call‑graph digest**: hash of pruned call graph from app entrypoints to those symbols.
 * **Evidence**:
  * Static: “No path from any entrypoint → {vuln symbols} (k=0).”
  * Optional runtime: sampled traces (EventPipe/JFR/eBPF) show **0 hits** to symbols/guards.
 * **Context**: build inputs (SBOM, lockfiles, compile units), framework models used, versions.
 * **Attestation**: in‑toto/DSSE signed bundle with reproducible scan manifest.
 ---
 # Minimal prototype this week (Scanner reachability scorer)
 1. **Symbol mappers (MVP)**
   * .NET: read PDB + IL to enumerate `MethodDef` symbols; map NuGet pkg → assembly → methods.
   * JVM: JAR index + method table (from ASM); map Maven coords → classes → methods.
 2. **Entrypoint discovery**
   * Docker CMD/ENTRYPOINT → process launch → managed main(s) (ASP.NET Program.Main, Spring Boot main).
 3. **Shallow call‑graph** (no fancy points‑to yet):
   * Direct calls + common framework handoffs (ASP.NET routing → controller; Spring @RequestMapping → handler).
 4. **Vuln ↔ symbol alignment**
   * Heuristics: match GHSA/OSV “affected functions” or patch diff to infer symbol names; fallback to package‑scope verdict with a flag “symbol‑inferred: false”.
 5. **Decision object**
   * `ReachabilityDecision.json` with: entrypoints, symbol set, path_count, notes, hashes.
 6. **Attest**
   * Emit `reachability.intoto.jsonl` (subject = image digest + SBOM component + symbol digest). Cosign with your test key.
 7. **VEX output**
   * OpenVEX statement reason: `component_not_present` or `vulnerable_code_not_in_execute_path` with `justification_url` → small HTML report (signed).
 ---
 # Data & schemas to add
 * `Scanner.Reachability/`
  * `SymbolIndex` (pkg → assemblies/classes/methods)
  * `EntryPoints` (per image, normalized)
  * `CallGraphPruned` (edges + hash)
  * `Decision` (path_count, evidence, versions)
 * `Authority`
  * Key management for DSSE; policy to **require** reachability evidence for “non‑affected”.
 ---
 # Language roadmap (fast win → harder)
 * **Week 1–2:** .NET + JVM shallow graphs + ASP.NET/Spring models.
 * **Week 3–4:** Node/TS (TS compiler API), Go (SSA), Python (import graph + common web frameworks).
 * **Stretch:** Rust/Swift (MIR/SIL summaries), native (symbols + coarse edges), Shell (exec chain).
 ---
 # Where to surface it (UX)
 * VEX details panel: “Non‑affected (0 call paths)” → expand → show entrypoints, collapsed edge list, trace hit‑counts, and “Verify attestation” button.
 * CLI: `stella scan --explain CVE-XYZ --verify-attestation`.
 ---
 # Guardrails
 * If symbol mapping is uncertain, **do not** claim “non‑affected”; downgrade to “under review” with rationale.
 * Cache symbol indexes per package version; keep the call‑graph pruned to entrypoint cones for speed.
 * Everything reproducible: the **scan manifest** (feeds, rule versions, hashes) must recreate the same decision bit‑for‑bit.
 ---
 If you want, I can draft the exact C# namespaces, interfaces, and the OpenVEX + in‑toto payloads you can drop into `Scanner.Reachability` and `Authority.Attest`.
--- a/docs/product-advisories/15-Nov-2026
+++ b/docs/product-advisories/15-Nov-2026
@@ -0,0 +1,488 @@
 Here is a complete, implementation-ready sketch you can drop into your solution and tune.
 I assume:
 * ASP.NET Core Web API (.NET 10).
 * EF `DbContext` with `DbSet<PolCensusList>`.
 * Excel via **ClosedXML** (clean API, MIT license, built on OpenXML).
 ---
 ## 1. NuGet packages
 Add to the Web/API project:
 ```bash
 dotnet add package ClosedXML
 dotnet add package DocumentFormat.OpenXml
 ```
 ---
 ## 2. File repository abstraction
 This matches your requirement: upload/download by `bucketId` + `fileId`, plus stream variants.
 ```csharp
 public interface IFileRepository
 {
    // Uploads a file identified by bucketId + fileId from a Stream
    Task UploadAsync(
        string bucketId,
        string fileId,
        Stream content,
        string contentType,
        CancellationToken cancellationToken = default);
    // Uploads a file from an in-memory buffer
    Task UploadAsync(
        string bucketId,
        string fileId,
        byte[] content,
        string contentType,
        CancellationToken cancellationToken = default);
    // Downloads a file as a Stream (caller is responsible for disposing)
    Task<Stream> DownloadAsStreamAsync(
        string bucketId,
        string fileId,
        CancellationToken cancellationToken = default);
    // Downloads a file as a byte[] buffer
    Task<byte[]> DownloadAsBytesAsync(
        string bucketId,
        string fileId,
        CancellationToken cancellationToken = default);
 }
 ```
 Example of a simple implementation over some `IFileStoreClient` (adjust to your FileStore API):
 ```csharp
 public sealed class FileStoreRepository : IFileRepository
 {
    private readonly IFileStoreClient _client;
    public FileStoreRepository(IFileStoreClient client)
    {
        _client = client;
    }
    public async Task UploadAsync(
        string bucketId,
        string fileId,
        Stream content,
        string contentType,
        CancellationToken cancellationToken = default)
    {
        // Example – adapt to your real client
        await _client.PutObjectAsync(
            bucketId: bucketId,
            objectId: fileId,
            content: content,
            contentType: contentType,
            cancellationToken: cancellationToken);
    }
    public async Task UploadAsync(
        string bucketId,
        string fileId,
        byte[] content,
        string contentType,
        CancellationToken cancellationToken = default)
    {
        await using var ms = new MemoryStream(content, writable: false);
        await UploadAsync(bucketId, fileId, ms, contentType, cancellationToken);
    }
    public async Task<Stream> DownloadAsStreamAsync(
        string bucketId,
        string fileId,
        CancellationToken cancellationToken = default)
    {
        // Must return a readable Stream ready for ClosedXML
        return await _client.GetObjectStreamAsync(
            bucketId: bucketId,
            objectId: fileId,
            cancellationToken: cancellationToken);
    }
    public async Task<byte[]> DownloadAsBytesAsync(
        string bucketId,
        string fileId,
        CancellationToken cancellationToken = default)
    {
        await using var stream = await DownloadAsStreamAsync(bucketId, fileId, cancellationToken);
        using var ms = new MemoryStream();
        await stream.CopyToAsync(ms, cancellationToken);
        return ms.ToArray();
    }
 }
 ```
 Register in DI:
 ```csharp
 builder.Services.AddScoped<IFileRepository, FileStoreRepository>();
 ```
 ---
 ## 3. Import service for `PolCensusList` from Excel
 To keep the controller thin, put Excel parsing + EF into a service.
 Assumptions (adjust as needed):
 * The file is an `.xlsx` with a header row.
 * Data starts at row 2.
 * Columns are:
 | Column | Excel | Property       |
 | ------ | ----- | -------------- |
 | A      | 1     | CustPid        |
 | B      | 2     | Gname          |
 | C      | 3     | Sname          |
 | D      | 4     | Fname          |
 | E      | 5     | BirthDate      |
 | F      | 6     | Gender         |
 | G      | 7     | Bmi            |
 | H      | 8     | Dependant      |
 | I      | 9     | DependantOn    |
 | J      | 10    | MemberAction   |
 | K      | 11    | GrpCode        |
 | L      | 12    | BeginDate      |
 | M      | 13    | SrCustId       |
 | N      | 14    | MemberPolicyId |
 | O      | 15    | MemberAnnexId  |
 | P      | 16    | ErrMsg         |
 Other fields (`SrPolicyId`, `SrAnnexId`, `FileId`, `Tstamp`) are taken from parameters/system.
 ```csharp
 using System.Globalization;
 using ClosedXML.Excel;
 using Microsoft.EntityFrameworkCore;
 public interface IPolCensusImportService
 {
    Task<int> ImportFromExcelAsync(
        string bucketId,
        string fileId,
        decimal srPolicyId,
        decimal srAnnexId,
        CancellationToken cancellationToken = default);
 }
 public sealed class PolCensusImportService : IPolCensusImportService
 {
    private readonly SerdicaHealthContext _dbContext;
    private readonly IFileRepository _fileRepository;
    public PolCensusImportService(
        SerdicaHealthContext dbContext,
        IFileRepository fileRepository)
    {
        _dbContext = dbContext;
        _fileRepository = fileRepository;
    }
    public async Task<int> ImportFromExcelAsync(
        string bucketId,
        string fileId,
        decimal srPolicyId,
        decimal srAnnexId,
        CancellationToken cancellationToken = default)
    {
        await using var stream = await _fileRepository.DownloadAsStreamAsync(bucketId, fileId, cancellationToken);
        using var workbook = new XLWorkbook(stream);
        var worksheet = workbook.Worksheets.First();
        var now = DateTime.UtcNow;
        var entities = new List<PolCensusList>();
        const int headerRow = 1;
        var firstDataRow = headerRow + 1;
        for (var row = firstDataRow; ; row++)
        {
            var rowRange = worksheet.Row(row);
            if (rowRange.IsEmpty()) break; // Stop on first fully empty row
            // Minimal “empty row” check – no CustPid and no Name => stop
            var custPidCell = rowRange.Cell(1);
            var gnameCell   = rowRange.Cell(2);
            var snameCell   = rowRange.Cell(3);
            if (custPidCell.IsEmpty() && gnameCell.IsEmpty() && snameCell.IsEmpty())
            {
                break;
            }
            var entity = new PolCensusList
            {
                // Non-null FK fields from parameters
                SrPolicyId = srPolicyId,
                SrAnnexId  = srAnnexId,
                CustPid       = custPidCell.GetString().Trim(),
                Gname         = gnameCell.GetString().Trim(),
                Sname         = snameCell.GetString().Trim(),
                Fname         = rowRange.Cell(4).GetString().Trim(),
                BirthDate     = GetDate(rowRange.Cell(5)),
                Gender        = rowRange.Cell(6).GetString().Trim(),
                Bmi           = GetDecimal(rowRange.Cell(7)),
                Dependant     = rowRange.Cell(8).GetString().Trim(),
                DependantOn   = rowRange.Cell(9).GetString().Trim(),
                MemberAction  = rowRange.Cell(10).GetString().Trim(),
                GrpCode       = rowRange.Cell(11).GetString().Trim(),
                BeginDate     = GetNullableDate(rowRange.Cell(12)),
                SrCustId      = GetNullableDecimal(rowRange.Cell(13)),
                MemberPolicyId= GetNullableDecimal(rowRange.Cell(14)),
                MemberAnnexId = GetNullableDecimal(rowRange.Cell(15)),
                ErrMsg        = rowRange.Cell(16).GetString().Trim(),
                // Audit / technical fields
                Tstamp = now,
                FileId = fileId,
                // Attr* left null for now – can be mapped later if needed
            };
            entities.Add(entity);
        }
        await using var transaction = await _dbContext.Database.BeginTransactionAsync(cancellationToken);
        try
        {
            await _dbContext.PolCensusLists.AddRangeAsync(entities, cancellationToken);
            var affected = await _dbContext.SaveChangesAsync(cancellationToken);
            await transaction.CommitAsync(cancellationToken);
            return affected;
        }
        catch
        {
            await transaction.RollbackAsync(cancellationToken);
            throw;
        }
    }
    private static DateTime GetDate(IXLCell cell)
    {
        if (cell.DataType == XLDataType.DateTime &&
            cell.GetDateTime() != default)
        {
            return cell.GetDateTime().Date;
        }
        var raw = cell.GetString().Trim();
        if (string.IsNullOrEmpty(raw))
            throw new InvalidOperationException("BirthDate is required but empty.");
        // Try a few reasonable formats – extend if needed
        var formats = new[]
        {
            "dd.MM.yyyy",
            "dd/MM/yyyy",
            "yyyy-MM-dd",
            "M/d/yyyy",
        };
        if (DateTime.TryParseExact(raw, formats,
                CultureInfo.InvariantCulture,
                DateTimeStyles.AssumeLocal,
                out var dt))
        {
            return dt.Date;
        }
        if (DateTime.TryParse(raw, CultureInfo.CurrentCulture,
                DateTimeStyles.AssumeLocal, out var dt2))
        {
            return dt2.Date;
        }
        throw new FormatException($"Cannot parse date value '{raw}'.");
    }
    private static DateTime? GetNullableDate(IXLCell cell)
    {
        if (cell.IsEmpty()) return null;
        if (cell.DataType == XLDataType.DateTime &&
            cell.GetDateTime() != default)
        {
            return cell.GetDateTime().Date;
        }
        var raw = cell.GetString().Trim();
        if (string.IsNullOrEmpty(raw)) return null;
        var formats = new[]
        {
            "dd.MM.yyyy",
            "dd/MM/yyyy",
            "yyyy-MM-dd",
            "M/d/yyyy",
        };
        if (DateTime.TryParseExact(raw, formats,
                CultureInfo.InvariantCulture,
                DateTimeStyles.AssumeLocal,
                out var dt))
        {
            return dt.Date;
        }
        if (DateTime.TryParse(raw, CultureInfo.CurrentCulture,
                DateTimeStyles.AssumeLocal, out var dt2))
        {
            return dt2.Date;
        }
        return null;
    }
    private static decimal GetDecimal(IXLCell cell)
    {
        if (cell.IsEmpty()) return 0m;
        if (cell.DataType == XLDataType.Number)
        {
            return (decimal)cell.GetDouble();
        }
        var raw = cell.GetString().Trim();
        if (string.IsNullOrEmpty(raw)) return 0m;
        // Try invariant and current culture
        if (decimal.TryParse(raw, NumberStyles.Any, CultureInfo.InvariantCulture, out var result))
            return result;
        if (decimal.TryParse(raw, NumberStyles.Any, CultureInfo.CurrentCulture, out result))
            return result;
        throw new FormatException($"Cannot parse decimal value '{raw}'.");
    }
    private static decimal? GetNullableDecimal(IXLCell cell)
    {
        if (cell.IsEmpty()) return null;
        if (cell.DataType == XLDataType.Number)
        {
            return (decimal)cell.GetDouble();
        }
        var raw = cell.GetString().Trim();
        if (string.IsNullOrEmpty(raw)) return null;
        if (decimal.TryParse(raw, NumberStyles.Any, CultureInfo.InvariantCulture, out var result))
            return result;
        if (decimal.TryParse(raw, NumberStyles.Any, CultureInfo.CurrentCulture, out result))
            return result;
        return null;
    }
 }
 ```
 Register the service:
 ```csharp
 builder.Services.AddScoped<IPolCensusImportService, PolCensusImportService>();
 ```
 ---
 ## 4. API endpoint: import census data by `fileId`
 Controller for IPAL / Serdica health module:
 ```csharp
 using Microsoft.AspNetCore.Mvc;
 [ApiController]
 [Route("api/health/census")]
 public sealed class PolCensusController : ControllerBase
 {
    private readonly IPolCensusImportService _importService;
    public PolCensusController(IPolCensusImportService importService)
    {
        _importService = importService;
    }
    /// <summary>
    /// Imports census members from an Excel file stored in FileStore.
    /// </summary>
    /// <param name="bucketId">Logical bucket / container in FileStore (e.g. "ipal-serdica-census").</param>
    /// <param name="fileId">Unique file identifier in FileStore.</param>
    /// <param name="srPolicyId">Serdica policy id (FK for PolCensusList).</param>
    /// <param name="srAnnexId">Serdica annex id (FK for PolCensusList).</param>
    [HttpPost("import/{bucketId}/{fileId}")]
    public async Task<IActionResult> ImportFromFile(
        string bucketId,
        string fileId,
        [FromQuery] decimal srPolicyId,
        [FromQuery] decimal srAnnexId,
        CancellationToken cancellationToken)
    {
        var importedCount = await _importService.ImportFromExcelAsync(
            bucketId,
            fileId,
            srPolicyId,
            srAnnexId,
            cancellationToken);
        return Ok(new
        {
            imported = importedCount,
            fileId,
            bucketId,
            srPolicyId,
            srAnnexId
        });
    }
 }
 ```
 ---
 ## 5. Optional: upload endpoint using `IFileRepository`
 If you want a simple upload entry point compatible with the repository:
 ```csharp
 [HttpPost("upload")]
 public async Task<IActionResult> UploadCensusFile(
    [FromForm] IFormFile file,
    [FromQuery] string bucketId,
    CancellationToken cancellationToken)
 {
    if (file == null || file.Length == 0)
        return BadRequest("File is required.");
    var fileId = Guid.NewGuid().ToString("N");
    await using var stream = file.OpenReadStream();
    await _fileRepository.UploadAsync(
        bucketId,
        fileId,
        stream,
        file.ContentType ?? "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
        cancellationToken);
    return Ok(new { fileId, bucketId });
 }
 ```
 ---
 If you tell me:
 * the exact Excel column layout you will get from IPAL / Serdica
 * whether `CensusId` is sequence-generated in Oracle or must be populated in code,
 I can tighten the mapping + EF configuration so that it matches your schema 1:1 and is ready for production.
--- a/docs/product-advisories/15-Nov-2026
+++ b/docs/product-advisories/15-Nov-2026
@@ -0,0 +1,131 @@
 Here’s a compact, implementation‑ready blueprint to make your scanner’s results quiet, explainable, and auditable end‑to‑end.
 # Phase the “proof spine”
 1. **SBOM‑only → VEX‑ready → Attested**
 * **SBOM (now):** Generate SPDX 3.0.1 + CycloneDX 1.6 for every image/module. Include purls, CPE (if available), license IDs, source URIs, and build metadata.
 * **VEX‑ready (next):** Normalize vuln inputs (OSV, GHSA, vendor feeds) to a single internal model; keep fields needed for VEX (status, justification, impact, action, timestamp, issuer).
 * **Attest (then):** Emit **in‑toto/DSSE** attestations that bind: (a) SBOM digest, (b) ruleset version, (c) data sources & hashes, (d) VEX decisions. Log statement references in **Rekor** (or your mirror) for transparency.
 # Explainability path (per alert)
 For every surfaced finding, materialize:
 * **Origin SBOM node** → component@version (with purl/CPE)
 * **Match rule** → which matcher hit (name+version, range, CPE heuristics, source trust)
 * **VEX gate** → decision with justification (e.g., affected/not_affected, component_not_present, configuration_needed)
 * **Reachability trace** → static (call graph path) and/or runtime (probe hits) to the vulnerable symbol(s)
 * **Deterministic score** → numeric risk built from stable inputs (below)
  Expose this as a single JSON object and a short, human‑readable proof block in the UI/CLI.
 # Smart‑Diff (incremental analysis)
 * **Change detector:** hash symbols/packages and dependency graphs; on new scans, diff against prior state.
 * **Selective re‑analysis:** only re‑parse/re‑solve changed modules, lockfiles, or call‑graph regions.
 * **Memoized match & reachability:** cache vuln matches and reachability slices per (component, version, framework‑model) key.
 # Scoring (quiet by design)
 Use stable, auditable inputs:
 * **Base:** CVSS v4.0 metrics (as provided by source), fall back to v3.1 if v4 missing.
 * **Exploit maturity:** explicit flags when present (known exploited, PoC available, none).
 * **Reachability boost/penalty:** function‑level confirmation > package‑level guess; runtime evidence > static‑only.
 * **Compensating controls:** WAF/feature flags/sandboxing recorded as gates that reduce surfaced priority (but never erase provenance).
 # Minimal data contracts (copy‑paste into your code)
 **SBOM node (core):**
 ```json
 {
  "purl": "pkg:npm/lodash@4.17.21",
  "hashes": [{"alg":"sha256","value":"..."}],
  "licenses": ["MIT"],
  "build": {"sourceUri":"git+https://...","commit":"..."},
  "attestations": [{"type":"intoto","subjectDigest":"sha256:..."}]
 }
 ```
 **Finding proof (per alert):**
 ```json
 {
  "id": "FND-abc123",
  "component": {"purl":"pkg:maven/org.example/foo@1.2.3"},
  "vuln": {"id":"CVE-2024-XXXX","source":"OSV"},
  "matchRule": {"name":"purl-eq","details":{"range":"[1.2.0,1.2.5)"}},
  "vexGate": {"status":"affected","justification":"reachable_code_path"},
  "reachability": {
    "staticPath": ["Controller.handle","Service.parse","lib/vulnFunc"],
    "runtimeHits": [{"symbol":"lib/vulnFunc","count":37}]
  },
  "score": {"base":7.1,"exploit":"poc","reach":"function","final":8.4},
  "provenance": {
    "sbomDigest":"sha256:...",
    "ruleset":"signals-1.4.2",
    "feeds":[{"name":"OSV","etag":"..."}],
    "attRef":"rekor:sha256:..."
  }
 }
 ```
 # Services & where they live in Stella Ops
 * **Sbomer**: Syft‑backed generators (SPDX/CycloneDX) + DSSE signing.
 * **Feedser/Concelier**: fetch & normalize vuln feeds (OSV/GHSA/vendor), maintain trust scores; “preserve‑prune source” rule stays.
 * **Scanner.WebService**: orchestrates analyzers; run lattice algorithms here (per your standing rule).
 * **Vexer/Excititor**: VEX issuance + policy evaluation (lattice gates).
 * **Authority**: key management, DSSE signing, Rekor client (and mirror) endpoints.
 * **Signals**: event‑sourced store for proofs, reachability artifacts, and scoring outputs.
 # Policies (tiny DSL sketch)
 ```yaml
 version: 1
 sources:
  - id: osv
    trust: 0.9
 gates:
  - id: not-present
    when: component.present == false
    action: vex(status: not_affected, reason: component_not_present)
  - id: unreachable
    when: reachability.static == false and reachability.runtime == false
    action: vex(status: not_affected, reason: vulnerable_code_not_in_execute_path)
 scoring:
  base: cvss.v4 or cvss.v3
  adjust:
    - if: exploit.maturity in ["known_exploited","poc"]
      add: 0.8
    - if: reachability.function_confirmed
      add: 1.1
    - if: gate == "not-present"
      subtract: 3.0
 ```
 # Attestations & transparency (pragmatic path)
 * **Produce** DSSE‑wrapped in‑toto statements for SBOM, ScanResult, and VEXBundle.
 * **Record** statement digests in Rekor (or your **Proof‑Market** mirror) with pointers back to your artifact store.
 * **Bundle** offline kits with SBOM+VEX+attestations and a mini‑Rekor log segment for air‑gapped audits.
 # UX: one‑screen truth
 * Table of findings with **Final Score**, a **“Why?”** button expanding the 5‑part proof chain, and **Fix** suggestions.
 * Global toggles: *Show only reachable*, *Mute not‑affected*, *Show deltas* (Smart‑Diff), *Export VEX*.
 # “Done next” checklist
 * Wire Syft→SPDX/CycloneDX→DSSE emit → Rekor client.
 * Normalize feeds to a single vuln model with trust weights.
 * Implement **FindingProof** schema and persist it in Signals.
 * Add **Symbolizer + per‑lang reachability** stubs (even minimal) to populate `reachability` fields.
 * Ship VEX export (OpenVEX/CSAF) based on current gates.
 * Add Smart‑Diff over SBOM + symbol graph hashes.
 * Surface the full proof chain in UI/CLI.
 If you want, I can drop in concrete .NET 10 interfaces/classes for each component and a first pass of the Rekor/DSSE helpers next.
--- a/docs/product-advisories/15-Nov-2026
+++ b/docs/product-advisories/15-Nov-2026
@@ -0,0 +1,102 @@
 Here’s a compact, plain‑English plan to make your scanner **faster, quieter, and auditor‑friendly** by (1) diff‑aware rescans and (2) unified binary+source reachability—both drop‑in for Stella Ops.
 # Deterministic, diff‑aware rescans (clean SBOM/VEX diffs)
 **Goal:** Only recompute what changed; emit stable, minimal diffs reviewers can trust.
 **Core ideas**
 - **Per‑layer SBOM artifacts (cacheable):** For each image layer `L#`, persist:
  - `sbom-L#.cdx.json` (CycloneDX), `hash(L#)`, `toolchain-hash`, `feeds-hash`.
  - **Symbol‑fingerprints** for each discovered file: `algo|path|size|mtime|xxh3|funcIDs[]`.
 - **Slice recomputation:** On new image `I'`, match layers via hashes; for changed layers or files, recompute *only* their call‑graph slices and vuln joins.
 - **Deterministic manifests:** Every scan writes a `scan.lock.json` (inputs, feed versions, rules, lattice policy hash, tool versions, clocks) so results are **replayable**.
 **Minimal data model (Mongo)**
 - `scan_runs(_id, imageDigest, inputsHash, policyHash, feedsHash, startedAt, finishedAt, parentRunId?)`
 - `layer_sboms(scanRunId, layerDigest, sbomCid, symbolIndexCid, layerHash)`
 - `file_symbols(scanRunId, path, fileHash, funcIDs[], lang, size, mtime)`
 - `diffs(fromRunId, toRunId, kind: 'sbom'|'vex'|'reachability', stats, patch)` (store JSON Patch)
 **Algorithm sketch**
 1. Resolve base image ancestry → map `old layer digest ↔ new layer digest`.
 2. For unchanged layers: reuse `layer_sboms` + `file_symbols`.
 3. For changed/added files: re‑symbolize + re‑analyze; restrict call‑graph build to **impacted SCCs**.
 4. Re‑join OSV/GHSA/vendor vulns → compute reachability deltas → emit **stable JSON Patch**.
 **CLI impact**
 - `stella scan --deterministic --cache-dir ~/.stella/cache --emit-diff previousRunId`
 - `stella diff --from <runA> --to <runB> --format jsonpatch|md`
 ---
 # Unified binary + source reachability (function‑level)
 **Goal:** Decide “is the vulnerable function reachable/used here?” across native and managed code.
 **Extraction**
 - **Binary symbolizers:**  
  - ELF: parse `.symtab`/`.dynsym`, DWARF (if present).  
  - Mach‑O/PE: export tables + DWARF/PDB (if present).  
  - Build **Canonical Symbol ID (CSID)**: `lang:pkg@ver!binary#file:function(signature)`; normalize C++/Rust mangling.
 - **Source symbolizers:**  
  - .NET (Roslyn+IL), JVM (bytecode), Go (SSA), Node/TS (TS AST), Python (AST), Rust (HIR/MIR if available).
 - **Bindings join:** Map FFI edges (P/Invoke, cgo, JNI/JNA, N-API) → **cross‑ecosystem call edges**:
  - `.NET P/Invoke` → DLL export CSID.
  - Java JNI → `Java_com_pkg_Class_Method` ↔ native export.
  - Node N-API → addon exports ↔ JS require() site.
 **Reachability pipeline**
 1. Build per‑language call graphs (CG) with framework models (ASP.NET, Spring, Express, etc.).
 2. Add FFI edges; merge into a **polyglot call graph**.
 3. Mark **entrypoints** (container `CMD/ENTRYPOINT`, web handlers, cron, CLI verbs).
 4. For each CVE → {pkg, version, affected symbols[]} map → **is any affected CSID on a path from an entrypoint?**
 5. Output evidence:
   - `reachable: true|false|unknown`
   - shortest path (symbols list)
   - probes (optional): runtime samples (EventPipe/JFR/uprobes) hitting CSIDs
 **Artifacts emitted**
 - `symbols.csi.jsonl` (all CSIDs)
 - `polyglot.cg.slices.json` (only impacted SCCs for diffs)
 - `reach.vex.json` (OpenVEX/CSAF with function‑level notes + confidence)
 ---
 # What to build next (low‑risk, high‑impact)
 - **[Week 1–2]** Per‑layer caches + `scan.lock.json`; file symbol‑fingerprints (xxh3 + top‑K funcIDs).  
 - **[Week 3–4]** ELF/PE/Mach‑O symbolizer lib with CSIDs; .NET IL + P/Invoke mapper.  
 - **[Week 5–6]** Polyglot CG merge + entrypoint discovery from Docker metadata; JSON Patch diffs.  
 - **[Week 7+]** Runtime probes (opt‑in) to boost confidence and suppress false positives.
 ---
 # Tiny code seeds (C# hints)
 **Symbol fingerprint (per file)**
 ```csharp
 record SymbolFingerprint(
  string Algo, string Path, long Size, long MTimeUnix,
  string ContentHash, string[] FuncIds);
 ```
 **Deterministic scan lock**
 ```csharp
 record ScanLock(
  string FeedsHash, string RulesHash, string PolicyHash, string Toolchain,
  string ImageDigest, string[] LayerDigests, DateTimeOffset Clock,
  IDictionary<string,string> EnvPins);
 ```
 **JSON Patch diff emit**
 ```csharp
 var patch = JsonDiffPatch.Diff(oldVexJson, newVexJson); // stable sort keys beforehand
 File.WriteAllText("vex.diff.json", patch);
 ```
 ---
 If you want, I can turn this into:
 - a **.proto** for the cache/index objects,
 - a **Mongo schema + indexes** (including compound keys for fast layer reuse),
 - and a **.NET 10** service skeleton (`StellaOps.Scanner.WebService`) with endpoints:
 `/scan`, `/diff/{from}/{to}`, `/reach/{runId}`.
--- a/docs/product-advisories/16-Nov-2026
+++ b/docs/product-advisories/16-Nov-2026
@@ -0,0 +1,146 @@
 Here’s a fast, practical idea to speed up container scans: add a **hash‑based SBOM layer cache** keyed by **(Docker layer digest + dependency‑manifest checksum)** so identical inputs skip recomputation and only verify attestations.
 ---
 ### What this is (in plain words)
 * **Layers are immutable.** Each image layer already has a content digest (e.g., `sha256:...`).
 * **Dependency state is declarative.** Lockfiles/manifest files (NuGet `packages.lock.json`, `package-lock.json`, `poetry.lock`, `go.sum`, etc.) summarize deps.
 * If both the **layer bytes** and the **manifest content** are identical to something we’ve scanned before, recomputing the SBOM/VEX is wasted work. We can **reuse** the previous result (plus a quick signature/attestation check).
 ---
 ### Cache key
 ```
 CacheKey = SHA256(
  concat(
    LayerDigestCanonical,          // e.g., "sha256:abcd..."
    '\n',
    ManifestAlgo,                  // e.g., "sha256"
    ':',
    ManifestChecksum               // hash of lockfile(s) inside the layer FS view
  )
 )
 ```
 * Optionally include toolchain IDs to prevent cross‑version skew:
  * `SbomerVersion`, `ScannerRulesetVersion`, `FeedsSnapshotId` (OSV/NVD feed epoch), `PolicyBundleHash`.
 ---
 ### When it hits
 * **Exact same layer + same manifests** → return cached **SBOM component graph + vuln findings + VEX** and **re‑verify** the **DSSE/in‑toto attestation** and timestamps (freshness SLA).
 * **Same layer, manifests absent** → fall back to byte‑level heuristics (package index cache); lower confidence.
 ---
 ### Minimal .NET 10 sketch (Stella Ops)
 ```csharp
 public sealed record LayerInput(
    string LayerDigest,            // "sha256:..."
    string? ManifestAlgo,          // "sha256"
    string? ManifestChecksum,      // hex
    string SbomerVersion,
    string RulesetVersion,
    string FeedsSnapshotId,
    string PolicyBundleHash);
 public static string ComputeCacheKey(LayerInput x)
 {
    var s = string.Join("\n", new[]{
        x.LayerDigest,
        x.ManifestAlgo ?? "",
        x.ManifestChecksum ?? "",
        x.SbomerVersion,
        x.RulesetVersion,
        x.FeedsSnapshotId,
        x.PolicyBundleHash
    });
    using var sha = System.Security.Cryptography.SHA256.Create();
    return Convert.ToHexString(sha.ComputeHash(System.Text.Encoding.UTF8.GetBytes(s)));
 }
 public sealed class SbomCacheEntry
 {
    public required string CacheKey { get; init; }
    public required byte[] CycloneDxJson { get; init; }        // gz if large
    public required byte[] VexJson { get; init; }
    public required byte[] AttestationDsse { get; init; }      // for re-verify
    public required DateTimeOffset ProducedAt { get; init; }
    public required string FeedsSnapshotId { get; init; }      // provenance
 }
 ```
 ---
 ### Cache flow (Scanner)
 1. **Before scan**
   * Extract manifest files from the union FS of the current layer.
   * Hash them (stable newline normalization).
   * Build `LayerInput`; compute `CacheKey`.
   * **Lookup** in `ISbomCache.Get(CacheKey)`.
 2. **Hit**
   * **Verify attestation** (keys/policy), **check feed epoch** still within tolerance, **re‑sign freshness** if policy allows.
   * Emit cached SBOM/VEX downstream; mark provenance as “replayed”.
 3. **Miss**
   * Run normal analyzers → SBOM → vuln match → VEX lattice.
   * Create **in‑toto/DSSE attestation**.
   * Store `SbomCacheEntry` and **index by**:
     * `CacheKey` (primary),
     * `LayerDigest` (secondary),
     * `(ecosystem, manifestChecksum)` for diagnostics.
 4. **Invalidation**
   * Roll cache on **FeedsSnapshotId** bumps or **RulesetVersion** change.
   * TTL optional for emergency revocations; keep **attestation+provenance** for audit.
 ---
 ### Storage options
 * **Local**: content‑addressed dir (`/var/lib/stellaops/sbom-cache/aa/bb/<cacheKey>.cjson.gz`).
 * **Remote**: Redis or Mongo (GridFS) keyed by `cacheKey`; attach indexes on `LayerDigest`, `FeedsSnapshotId`.
 * **OCI artifact**: push SBOM/VEX as OCI refs tied to layer digest (helps multi‑node CI).
 ---
 ### Attestation verification (quick)
 * On hit: `Verify(AttestationDsse, Policy)`; ensure `subject.digest == LayerDigest` and metadata (`FeedsSnapshotId`, tool versions) matches required policy.
 * Optional **freshness stamp**: a tiny, fast “verification attestation” you produce at replay time.
 ---
 ### Edge cases
 * **Multi‑manifest layers** (polyglot): combine checksums in a stable order (e.g., `SHA256(man1 + '\n' + man2 + ...)`).
 * **Runtime‑only diffs** (no manifest change): include **package index snapshot hash** if you maintain one.
 * **Reproducibility drift**: include analyzer version & configuration knobs in the key so the cache never masks rule changes.
 ---
 ### Why this helps
 * Cold scans compute once; subsequent builds (same base image + same lockfiles) **skip minutes of work**.
 * Reproducibility becomes **measurable**: cache hit ratio per repo, per base image, per feed epoch.
 ---
 ### Quick tasks to add to Stella Ops
 * [ ] Implement `LayerInput` + keying in `Scanner.WebService`.
 * [ ] Add **Manifest Harvester** step per ecosystem (NuGet, npm, pip/poetry, go, Cargo).
 * [ ] Add `ISbomCache` (local + Mongo/OCI backends) with metrics.
 * [ ] Wire **attestation re‑verify** path on hits.
 * [ ] Ship a **cache report**: hit/miss, time saved, reasons for miss (ruleset/feeds changed, manifest changed, new analyzer).
 If you want, I can draft the actual C# interfaces (cache backend + verifier) and a tiny integration for your existing `Sbomer`/`Vexer` services next.
--- a/docs/product-advisories/16-Nov-2026
+++ b/docs/product-advisories/16-Nov-2026
@@ -0,0 +1,224 @@
 Here’s a compact, implementation‑ready plan to validate function‑level reachability with a public, minimal CVE corpus—one runnable example per runtime (Go, .NET, Python, Rust). It gives you known vulnerable symbols, a tiny app that (optionally) calls them, and captured runtime traces to prove reachability.
 ---
 # Corpus layout
 ```
 stellaops-reach-corpus/
  README.md
  tooling/
    capture-dotnet-eventpipe.ps1
    capture-go-trace.sh
    capture-python-coverage.sh
    capture-rust-probe.sh
  go/
    CVE-YYYY-XXXX-min/
      go.mod
      vulner/pkg/vuln.go          // vulnerable symbol(s): func DoVuln()
      app/main.go                 // calls or avoids DoVuln() via flag
      traces/                     // .out/.json from runtime
      EXPECT.yaml                 // ground truth: reachable? call path?
  dotnet/
    CVE-YYYY-XXXX-min/
      src/VulnLib/VulnLib.cs      // [MethodImpl] public static void DoVuln()
      src/App/App.csproj
      src/App/Program.cs          // --reach / --no-reach
      traces/                     // .nettrace, EventPipe JSON, stack dumps
      EXPECT.yaml
  python/
    CVE-YYYY-XXXX-min/
      vuln/__init__.py            // def do_vuln()
      app.py                      // toggle call via env
      requirements.txt
      traces/coverage/            // coverage.xml + callgraph.json
      EXPECT.yaml
  rust/
    CVE-YYYY-XXXX-min/
      Cargo.toml
      src/lib.rs                  // pub fn do_vuln()
      src/main.rs                 // feature flags: reach/no_reach
      traces/                     // eBPF/usdt or log-markers
      EXPECT.yaml
 ```
 ---
 # EXPECT.yaml (shared contract)
 ```yaml
 id: CVE-YYYY-XXXX
 ecosystem: (go|dotnet|python|rust)
 packages:
  - name: example.org/vulner
    version: 1.0.0
 symbols:
  - fqname: example.org/vulner.DoVuln   # or Namespace.Class.Method, module.func
    kind: function
 scenarios:
  - name: reach
    args: ["--reach"]
    expected:
      reachable: true
      call_paths:
        - ["app.main", "vulner.DoVuln"]
      runtime_hits: >=1
  - name: no_reach
    args: ["--no-reach"]
    expected:
      reachable: false
      call_paths: []
      runtime_hits: 0
 artifacts:
  - sbom: sbom.cdx.json
  - trace: traces/reach.trace
 notes: Minimal repro; avoid network/filesystem side effects.
 ```
 ---
 # Minimal vulnerable symbol patterns
 **Go**
 `vulner/pkg/vuln.go`
 ```go
 package vulner
 func DoVuln(input string) string { return "vuln:" + input } // marker
 ```
 `app/main.go`
 ```go
 package main
 import (
  "flag"
  "example.org/vulner"
  "fmt"
 )
 func main() {
  reach := flag.Bool("reach", false, "call vuln")
  flag.Parse()
  if *reach { fmt.Println(vulner.DoVuln("hit")) } else { fmt.Println("skip") }
 }
 ```
 **.NET (C# / .NET 10)**
 `VulnLib/VulnLib.cs`
 ```csharp
 namespace VulnLib;
 public static class V {
    public static string DoVuln(string s) => "vuln:" + s; // marker
 }
 ```
 `App/Program.cs`
 ```csharp
 using System;
 using VulnLib;
 var reach = args.Contains("--reach");
 Console.WriteLine(reach ? V.DoVuln("hit") : "skip");
 ```
 **Python**
 `vuln/__init__.py`
 ```python
 def do_vuln(s: str) -> str:
    return "vuln:" + s  # marker
 ```
 `app.py`
 ```python
 import os
 from vuln import do_vuln
 print(do_vuln("hit") if os.getenv("REACH")=="1" else "skip")
 ```
 **Rust**
 `src/lib.rs`
 ```rust
 pub fn do_vuln(s: &str) -> String { format!("vuln:{s}") } // marker
 ```
 `src/main.rs`
 ```rust
 use std::env; use vuln::do_vuln;
 fn main() {
    let reach = env::args().any(|a| a=="--reach");
    println!("{}", if reach { do_vuln("hit") } else { "skip".into() });
 }
 ```
 ---
 # Runtime trace capture (tiny, deterministic)
 * **Go**: `-toolexec` or `GODEBUG=efence=1` not required; use `go test -run TestReach -vet=off` (optional) + `pprof` or `runtime/trace`.
  * `tooling/capture-go-trace.sh`: `go test ./... -run TestNoop && go test -run TestReach -trace=traces/reach.out`
 * **.NET**: EventPipe
  * `dotnet-trace collect -p $PID --providers Microsoft-DotNETCore-SampleProfiler:0:5`
  * Or `dotnet-monitor collect --duration 5s --process-id ... --artifact-type traces`
 * **Python**: `coverage run -m app` + `coverage xml -o traces/coverage/coverage.xml`
 * **Rust**: simplest is log markers + `RUST_LOG` capture; optional: `perf record -g` or USDT via `tokio-tracing` if you want call sites.
 Each trace folder includes a short `trace.json` (normalized stack hits for the vulnerable symbol) produced by a tiny normalizer script you ship in `tooling/`.
 ---
 # SBOM & ground‑truth
 For each example:
 * Generate CycloneDX SBOM (use the language’s simplest generator or a tiny script) and include component + symbol annotations (e.g., `properties` with `symbol:fqname`).
 * Keep versions pinned to avoid drift.
 ---
 # Validation runner (one command)
 `tooling/validate-all.sh`:
 1. Build each example twice (reach / no_reach).
 2. Capture SBOM + runtime traces.
 3. Emit a unified `results.json` with:
   * detected symbols from your Symbolizer
   * static call‑graph reachability
   * runtime hit count per symbol
   * pass/fail vs `EXPECT.yaml`.
 Exit non‑zero on any mismatch → perfect for CI gates.
 ---
 # Why this works as a public differentiator
 * **Minimal & real**: one tiny, idiomatic app per runtime; clear vulnerable symbol; two scenarios.
 * **Auditable**: EXPECT.yaml + traces make results falsifiable.
 * **Portable**: no network, no DB; runs in Docker or GitHub Actions.
 * **Extensible**: add more CVEs by copying the template and swapping the “vulnerable symbol” (e.g., path‑traversal helper, unsafe deserializer stub, weak RNG wrapper).
 ---
 # Next steps I can deliver immediately
 * Bootstrap repo with the above structure.
 * Add the four first examples + scripts.
 * Wire a single `validate-all` CLI to produce a JUnit‑style report for your CI.
 If you want, I’ll generate the skeleton with ready‑to‑run code, EXPECTs, and the capture scripts tailored to your .NET 10 + Docker workflow.
--- a/docs/product-advisories/16-Nov-2026
+++ b/docs/product-advisories/16-Nov-2026
@@ -0,0 +1,34 @@
 Here’s a quick, concrete proposal to **lock in a stable SBOM model for Stella Ops**: use **SPDX 3.0.1** as your canonical persistence schema and **CycloneDX 1.6** as the interchange “view,” bridged by a deterministic transform.
 **Why this pairing**
 * **SPDX 3.0.1** gives you a rigorous, profile‑based data model (Core/Security/AI/Build, etc.) with explicit **Relationship** semantics—ideal for long‑lived storage and graph queries. ([SPDX][1])
 * **CycloneDX 1.6** excels at exchange: widely adopted, supports **services/SaaSBOM**, **attestations (CDXA)**, **CBOM (crypto inventory)**, MLBOM, and more—perfect for producing portable BOMs for customers and regulators. ([CycloneDX][2])
 **Target architecture (minimal)**
 * **Persistence:** Store SBOMs as SPDX 3.0.1 (JSON‑LD/RDF), normalized into your Mongo event‑sourced graph; keep Relationship edges first‑class. ([SPDX][1])
 * **Interchange:** On export, render CycloneDX 1.6 (JSON/XML) including `components`, `services`, `dependencies`, `vulnerabilities`, and optional CBOM/CDXA blocks. ([SBOM Observer][3])
 * **Deterministic transform:** Define a static mapping table (SPDX→CycloneDX) with sorted collections, stable UUID seeds, and normalized strings to guarantee byte‑for‑byte reproducibility across offline sites.
 **Quick win mapping examples**
 * SPDX `Element` + `RelationshipType` → CycloneDX `dependencies` graph. ([SPDX][4])
 * SPDX Security profile findings → CycloneDX `vulnerabilities` entries. ([SPDX][1])
 * SPDX AI/Build profiles → CycloneDX MLBOM + CDXA attestations (build/provenance). ([SPDX][5])
 * Crypto materials (keys/algos/policies) held in SPDX extensions or attributes → CycloneDX **CBOM** on export for policy checks (CNSA/NIST). ([CycloneDX][2])
 **Governance & standards signal**
 * SPDX 3.0.x is actively aligned with **OMG/ISO** submissions (good long‑term bet for storage). ([SPDX Lists][6])
 * CycloneDX 1.6 is the current, actively enhanced interchange standard used across vendors and tooling. ([GitHub][7])
 If you want, I’ll draft the exact field‑by‑field mapping table (SPDX profile → CycloneDX section), plus a small .NET 10 library skeleton for the deterministic exporter.
 [1]: https://spdx.github.io/spdx-spec/v3.0.1/?utm_source=chatgpt.com "SPDX Specification 3.0.1"
 [2]: https://cyclonedx.org/news/cyclonedx-v1.6-released/?utm_source=chatgpt.com "CycloneDX v1.6 Released, Advances Software Supply ..."
 [3]: https://sbom.observer/academy/learn/topics/cyclonedx?utm_source=chatgpt.com "What is CycloneDX?"
 [4]: https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Vocabularies/RelationshipType/?utm_source=chatgpt.com "RelationshipType - SPDX Specification 3.0.1"
 [5]: https://spdx.dev/wp-content/uploads/sites/31/2024/12/SPDX-3.0.1-1.pdf?utm_source=chatgpt.com "SPDX© Specification v3.0.1"
 [6]: https://lists.spdx.org/g/Spdx-tech/topic/release_3_0_1_of_the_spdx/110308825?utm_source=chatgpt.com "Release 3.0.1 of the SPDX Specification"
 [7]: https://github.com/CycloneDX/specification?utm_source=chatgpt.com "CycloneDX/specification"
--- a/docs/product-advisories/16-Nov-2026
+++ b/docs/product-advisories/16-Nov-2026
@@ -0,0 +1,132 @@
 Here’s a practical, plain‑English game plan to validate three big Stella Ops claims—quiet scans, provenance, and diff‑native CI—so you (and auditors/customers) can reproduce the results end‑to‑end.
 ---
 # 1) “Explainably quiet by design”
 **Goal:** Fewer false‑alarms, with every suppression justified (reachability/VEX), and every alert deduplicated and actionable.
 **What to measure**
 * **Noise rate:** total findings vs. actionable (has fix/KB/CWE + reachable or policy‑relevant).
 * **Dedup:** identical CVE across layers/repos counted once.
 * **Explainability:** % of findings with a clear path (package → symbol/function → evidence).
 * **Suppression justifications:** % of suppressed items with VEX reason (not affected, configuration, environment, reachability).
 **A/B test setup**
 * **Repos (representative mix):** .NET (aspnet app & library), JVM (Spring), Node/TS (Nest), Python (FastAPI), Go (CLI), container base images (Alpine, Debian, Ubuntu), and a known‑noisy mono‑repo.
 * **Modes:** `baseline=no VEX/reach`, `quiet=reach+VEX+dedup`.
 * **Metrics capture:** emit JSONL per repo with counts and examples.
 **Minimal harness (pseudo)**
 ```bash
 # baseline
 stella scan repo --out baseline.jsonl --no-reach --no-vex --no-dedup
 # quiet
 stella scan repo --out quiet.jsonl --reach --vex openvex.json --dedup
 stella explain --in quiet.jsonl --evidence callgraph,eventpipe --why > explain.md
 stella metrics compare baseline.jsonl quiet.jsonl > ab_summary.md
 ```
 **Pass criteria (suggested)**
 * ≥50% reduction in non‑actionable alerts.
 * 100% of suppressions carry VEX+reason.
 * ≥90% of actionable findings link to evidence (reachable symbol or policy gate).
 ---
 # 2) “Provenance‑first DevSecOps”
 **Goal:** Ship a verifiable bundle anyone can check offline: SBOM + attestations + transparency‑log proof.
 **What to export**
 * **SBOM:** CycloneDX 1.6 or SPDX 3.0.1.
 * **Provenance attestation:** in‑toto/DSSE (builder, materials, recipe, digest).
 * **Signatures:** Sigstore (cosign) or regional crypto (pluggable).
 * **Transparency log receipt:** Rekor (or mirror) inclusion proof.
 * **Policy snapshot:** the exact policy/lattice and feed hashes used.
 * **Repro manifest:** declarative inputs so scans are replayable.
 **One‑shot exporter**
 ```bash
 stella bundle export \
  --sbom cyclonedx.json \
  --attest provenance.intoto.jsonl \
  --sig cosign.sig \
  --rekor-inclusion rekor.json \
  --policy policy.yml \
  --replay manifest.lock.json \
  --out stella-proof-bundle.tgz
 ```
 **Independent verification (clean machine)**
 ```bash
 stella bundle verify stella-proof-bundle.tgz \
  --check-sig --check-rekor --check-sbom --check-policy --replay
 # Output should show digest matches, valid DSSE, Rekor inclusion, and replay parity.
 ```
 **Pass criteria**
 * All cryptographic checks pass offline.
 * Replay produces byte‑identical findings set (or a diff limited to time‑varying feeds pinned by hash).
 ---
 # 3) “Diff‑native CI for containers”
 **Goal:** Rescan only what changed (layers/deps/policies) with equal detection parity and lower wall‑time.
 **Test matrix**
 * **Images:** multistage app (runtime+deps), language runtimes (dotnet, jre, node, python), and a “fat” base (ubuntu:XX).
 * **Changes:** Dockerfile ENV only, add/remove package, patch app DLL/JAR/JS, policy toggle.
 **Runs**
 ```bash
 # Full scan
 time stella image scan myimg:old > full_old.json
 time stella image scan myimg:new > full_new.json
 # Diff-aware
 time stella image scan myimg:new --diff-from myimg:old --cache .stella-cache > diff_new.json
 stella parity check full_new.json diff_new.json > parity.md
 ```
 **Metrics**
 * **Parity:** same actionable findings IDs (allowing dedup).
 * **Speedup:** (full time) / (diff time).
 * **Cache hit ratio:** reused layers/components.
 **Pass criteria**
 * 100% actionable parity on modified images.
 * ≥3× faster on typical “small change” commits; no worse than full scan when cache misses.
 ---
 ## What you’ll publish (deliverables)
 * `VALIDATION_PLAN.md` — steps above with fixed seeds (image digests, repo SHAs).
 * `harness/` — scripts to run A/B and diff tests, export bundles, and verify.
 * `results/YYYY‑MM/` — raw JSONL, parity reports, timing tables, and a 1‑page summary.
 * `policy/` — locked policy + feed hashes used in the runs.
 ---
 ## Nice‑to‑have extras
 * **Reachability/VEX gallery:** a few “before/after” call graphs and suppression cards.
 * **Auditor mode:** `stella audit open stella-proof-bundle.tgz` → read‑only UI that renders SBOM, VEX, signatures, Rekor proof, and replay log.
 * **CI examples:** GitLab/GitHub YAML snippets for full vs. diff jobs with caching.
 If you want, I can spit out the repo‑ready scaffold (folders, stub scripts, sample policies) tailored to your .NET 10 + Docker setup so you can run this tonight.
--- a/src/Findings/AGENTS.md
+++ b/src/Findings/AGENTS.md
@@ -0,0 +1,56 @@
 # Findings Ledger · AGENTS.md
 ## Working directory
 - Primary path: `src/Findings/StellaOps.Findings.Ledger` (and sibling test project under `src/Findings/__Tests` when exercising tests).
 - Do not touch other modules unless the sprint explicitly permits cross-module edits; Orchestrator/AirGap/Attestor integration work must land behind feature flags and be coordinated via their sprints.
 ## Roles covered
 - Backend engineer: .NET 10/C# for ledger services, projections, provenance links, Merkle anchoring.
 - QA / determinism: replay harness, property/integration tests, load testing at ≥5M findings/tenant.
 - Observability / DevOps: metrics, logs, dashboards, alert wiring, deployment/backup/offline kits.
 ## Required reading before DOING
 - Global: `docs/README.md`, `docs/07_HIGH_LEVEL_ARCHITECTURE.md`, `docs/modules/platform/architecture-overview.md`.
 - Ledger module:  
  - `docs/modules/findings-ledger/observability.md`  
  - `docs/modules/findings-ledger/replay-harness.md`  
  - `docs/modules/findings-ledger/deployment.md`  
  - `docs/modules/findings-ledger/implementation_plan.md`  
  - `docs/modules/findings-ledger/airgap-provenance.md`  
  - `docs/modules/findings-ledger/schema.md` (sealed-mode and Merkle root structure)  
  - `docs/modules/findings-ledger/workflow-inference.md` (projection rules)
 - Observability policy: `docs/observability/policy.md`.
 ## Execution rules
 - Update sprint `Delivery Tracker` status when you start/stop/finish: TODO → DOING → DONE/BLOCKED.
 - If a contract/design decision is missing, mark the task BLOCKED in the sprint, add the decision needed under **Decisions & Risks**, then continue with other unblocked tasks.
 - Keep outputs deterministic: UTC ISO-8601 timestamps, stable ordering, seeded property tests, repeatable replay runs.
 ## Coding & data guidelines
 - Target .NET 10; prefer latest C# preview features allowed by repo tooling.
 - Logging: structured `Ledger.*` logs; no PII; include `tenant`, `chain`, `policy`, `status`, `anchor` labels where applicable.
 - Metrics: emit only metric names/labels listed in `observability.md`; new series require Observability Guild approval.
 - Storage: follow schema in `schema.md`; preserve Merkle invariants and provenance pointers (orchestrator job IDs, bundle IDs, DSSE/attestation IDs).
 - Feature flags: gate Orchestrator/AirGap/Attestor integrations; defaults must be safe for air-gapped/offline mode.
 ## Testing
 - Mandatory: unit + property tests for ledger state/merkle roots; integration tests for projections and provenance pointers.
 - Replay/determinism: use the harness in `replay-harness.md` (5M findings/tenant scenario); produce signed harness report (DSSE) for LEDGER-29-008.
 - Load tests should record CPU/memory budgets as part of run artifacts; keep seeds and fixtures under version control.
 ## Observability & operations
 - Metrics/logs/traces via OpenTelemetry → OTLP → Prometheus/Tempo/Loki; respect `observability.enabled` flag.
 - Dashboards: include Grafana JSON exports under `offline/telemetry/dashboards/ledger`.
 - Alerts: wire as documented in `observability.md`; for air-gap emit to syslog + CLI incident scripts.
 - Deployments: follow `deployment.md` for Helm/Compose overlays, migrations, backup/restore, and offline kits.
 ## Offline/air-gap
 - Never assume external network; rely on mirrored feeds and bundled assets.
 - Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) when importing advisories/VEX/policies as per `airgap-provenance.md`.
 - Exports that become stale beyond documented thresholds must be blocked with remediation messaging.
 ## Acceptance checklist for changes
 - Tests updated/added and passing locally (`dotnet test` within module scope).
 - Metrics/logs follow approved names and labels; dashboards/alerts updated if schemas change.
 - Replay harness run (or planned) for determinism-impacting changes; attach/report results.
 - Docs updated when contracts or workflows change (module docs, observability policy, sprint Decisions & Risks).